CVE-2024-28752

EUVD-2024-0991
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.3 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
apachecxf
𝑥
< 3.5.8
apachecxf
3.6.0 ≤
𝑥
< 3.6.3
apachecxf
4.0.0 ≤
𝑥
< 4.0.4
netapponcommand_workflow_automation
-
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
apachecxf
𝑥
< 4.0.4
ADP
apachecxf
𝑥
< 3.6.3
ADP
apachecxf
𝑥
< 3.5.8
ADP
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/03/14/3
https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt
https://security.netapp.com/advisory/ntap-20240517-0001/
http://www.openwall.com/lists/oss-security/2024/03/14/3
https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt
https://security.netapp.com/advisory/ntap-20240517-0001/