cxf-core-3.3.10.jar vulnerability 

Issue date: 21-09-2021
Affects versions: 14.6, 13.4, 12.6

Security Issue ID

SECURITY-246

 

Affected Product Version(s)

12.6.16, 13.4.9, 14.6.0 and previous releases.


Severity 

medium


Description

CVE-2021-30468

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CVSSv2:

  • Base Score: MEDIUM (5.0)
  • Vector: /AV:N/AC:L/Au:N/C:N/I:N/A

CVSSv3:

  • Base Score: HIGH (7.5)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Instructions

Customers using the 12.x, 13.x and 14.x major versions are recommended to upgrade to the latest version in that series.