GHSA-g4px-6qhm-hqjm

Source

https://github.com/advisories/GHSA-g4px-6qhm-hqjm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-g4px-6qhm-hqjm/GHSA-g4px-6qhm-hqjm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g4px-6qhm-hqjm

Aliases

CVE-2025-48913

Published

2025-08-08T12:32:17Z

Modified

2025-11-05T20:51:43.251492Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Apache CXF: Untrusted JMS configuration can lead to RCE

Details

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility.

Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.

Database specific

{
    "github_reviewed_at": "2025-08-08T16:44:10Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ],
    "nvd_published_at": "2025-08-08T10:15:25Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

org.apache.cxf:cxf-rt-transports-jms

Package

Name: org.apache.cxf:cxf-rt-transports-jms; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-transports-jms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.8

Affected versions

2.*

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.3.11

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.6.16

2.6.17

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

3.*

3.0.0-milestone1

3.0.0-milestone2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

3.2.11

3.2.12

3.2.13

3.2.14

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.3.8

3.3.9

3.3.10

3.3.11

3.3.12

3.3.13

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.4.9

3.4.10

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.5.11

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

org.apache.cxf:cxf-rt-transports-jms

Package

Name: org.apache.cxf:cxf-rt-transports-jms; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-transports-jms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.9

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

org.apache.cxf:cxf-rt-transports-jms

Package

Name: org.apache.cxf:cxf-rt-transports-jms; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf-rt-transports-jms

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.3

Affected versions

4.*

4.1.0

4.1.1

4.1.2