THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
For information on how to report a new security problem please see here.
2022
- CVE-2022-46363: Apache CXF directory listing / code exfiltration
- CVE-2022-46364: Apache CXF SSRF Vulnerability
2021
- CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter
- CVE-2021-22696: OAuth 2 authorization service vulnerable to DDos attacks
2020
- CVE-2020-13954: Apache CXF Reflected XSS in the services listing page via the styleSheetPath
- CVE-2020-1954: Apache CXF JMX Integration is vulnerable to a MITM attack
2019
- CVE-2019-17573: Apache CXF Reflected XSS in the services listing page
- CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore
- CVE-2019-12419: Apache CXF OpenId Connect token service does not properly validate the clientId
- CVE-2019-12406: Apache CXF does not restrict the number of message attachments
2018
- CVE-2018-8039: Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.
- CVE-2018-8038: Apache CXF Fediz is vulnerable to DTD based XML attacks
2017
- CVE-2017-12631: CSRF vulnerabilities in the Apache CXF Fediz Spring plugins.
- CVE-2017-12624: Apache CXF web services that process attachments are vulnerable to Denial of Service (DoS) attacks.
- CVE-2017-7662: The Apache CXF Fediz OIDC Client Registration Service is vulnerable to CSRF attacks.
- CVE-2017-7661: The Apache CXF Fediz Jetty and Spring plugins are vulnerable to CSRF attacks.
- CVE-2017-5656: Apache CXF's STSClient uses a flawed way of caching tokens that are associated with delegation tokens.
- CVE-2017-5653: Apache CXF JAX-RS XML Security streaming clients do not validate that the service response was signed or encrypted.
- CVE-2017-3156: Apache CXF OAuth2 Hawk and JOSE MAC Validation code is vulnerable to the timing attacks
2016
- CVE-2016-8739: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE
- CVE-2016-6812: XSS risk in Apache CXF FormattedServiceListWriter when a request URL contains matrix parameters
- CVE-2016-4464: Apache CXF Fediz application plugins do not match the SAML AudienceRestriction values against the list of configured audience URIs
...