CVE-2017-12624

Summary

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache CXFprior to 3.1.14affected
Apache Software FoundationApache CXF3.2.x prior to 3.2.1affected

Weaknesses

  • Denial of Service

ADP Enrichment

CVE Program Container

Additional References

References