{"containers": {"cna": {"affected": [{"product": "Apache CXF", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "prior to 3.1.14"}, {"status": "affected", "version": "3.2.x prior to 3.2.1"}]}], "datePublic": "2017-11-14T00:00:00", "descriptions": [{"lang": "en", "value": "Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property \"attachment-max-header-size\"."}], "problemTypes": [{"descriptions": [{"description": "Denial of Service", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-06-16T11:06:11", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "RHSA-2018:2428", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2428"}, {"name": "1040486", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040486"}, {"name": "RHSA-2018:2424", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2424"}, {"name": "RHSA-2018:2423", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2423"}, {"name": "RHSA-2018:2425", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2425"}, {"name": "101859", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101859"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc"}, {"name": "[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "2017-11-14T00:00:00", "ID": "CVE-2017-12624", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache CXF", "version": {"version_data": [{"version_value": "prior to 3.1.14"}, {"version_value": "3.2.x prior to 3.2.1"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property \"attachment-max-header-size\"."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Denial of Service"}]}]}, "references": {"reference_data": [{"name": "RHSA-2018:2428", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2428"}, {"name": "1040486", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040486"}, {"name": "RHSA-2018:2424", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2424"}, {"name": "RHSA-2018:2423", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2423"}, {"name": "RHSA-2018:2425", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2425"}, {"name": "101859", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101859"}, {"name": "http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc", "refsource": "CONFIRM", "url": "http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc"}, {"name": "[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T18:43:56.230Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2018:2428", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2428"}, {"name": "1040486", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1040486"}, {"name": "RHSA-2018:2424", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2424"}, {"name": "RHSA-2018:2423", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2423"}, {"name": "RHSA-2018:2425", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2425"}, {"name": "101859", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101859"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc"}, {"name": "[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"}, {"name": "[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2017-12624", "datePublished": "2017-11-14T16:00:00Z", "dateReserved": "2017-08-07T00:00:00", "dateUpdated": "2024-09-17T00:05:34.380Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AF21E3A-7B39-438D-84FF-E7D433734AB5", "versionEndExcluding": "3.0.16", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ECCC99D-79CD-4B6C-9A46-521155BDDA9D", "versionEndExcluding": "3.1.14", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "13FC7274-9967-4648-9FF5-1DA1518BC6DA", "versionEndExcluding": "3.2.1", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property \"attachment-max-header-size\"."}, {"lang": "es", "value": "Apache CXF es compatible con el env\u00edo y la recepci\u00f3n de archivos adjuntos mediante las especificaciones JAX-WS o JAX-RS. Es posible manipular una cabecera de adjunto de mensaje que podr\u00eda conducir a un ataque de denegaci\u00f3n de servicio (DoS) en un proveedor de servicios web de CXF. Tanto los servicios JAX-WS como JAX-RS son vulnerables a este ataque. Desde las versiones 3.2.1 y 3.1.14 de Apache CXF, la cabeceras de adjunto de mensaje de m\u00e1s de 300 caracteres se rechazar\u00e1n por defecto. Este valor puede configurarse mediante la propiedad \"attachment-max-header-size\"."}], "id": "CVE-2017-12624", "lastModified": "2023-11-07T02:38:26.897", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-14T16:29:00.203", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101859"}, {"source": "security@apache.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040486"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:2423"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:2424"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:2425"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2018:2428"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2018:2425", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1", "package": "cxf", "product_name": "Red Hat JBoss EAP 7.1", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-activemq-artemis-0:1.5.5.013-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-bouncycastle-0:1.56.0-5.redhat_3.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-guava-libraries-0:25.0.0-1.redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-hibernate-0:5.1.15-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-ironjacamar-0:1.4.10-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jberet-0:1.2.6-2.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jboss-ejb-client-0:4.0.11-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jboss-remoting-0:5.0.8-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-jboss-server-migration-0:1.0.6-4.Final_redhat_4.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-mod_cluster-0:1.3.10-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-narayana-0:5.5.32-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-picketlink-bindings-0:2.5.5-13.SP12_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-picketlink-federation-0:2.5.5-13.SP12_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-resteasy-0:3.0.26-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-undertow-0:1.4.18-7.SP8_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-0:7.1.4-1.GA_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-javadocs-0:7.1.4-2.GA_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-naming-client-0:1.0.9-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-openssl-linux-0:1.0.6-14.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-transaction-client-0:1.0.4-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2423", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7::el6", "package": "eap7-wildfly-web-console-eap-0:2.9.18-1.Final_redhat_1.1.ep7.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-activemq-artemis-0:1.5.5.013-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-bouncycastle-0:1.56.0-5.redhat_3.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-guava-libraries-0:25.0.0-1.redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-hibernate-0:5.1.15-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-ironjacamar-0:1.4.10-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jberet-0:1.2.6-2.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jboss-ejb-client-0:4.0.11-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jboss-remoting-0:5.0.8-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-jboss-server-migration-0:1.0.6-4.Final_redhat_4.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-mod_cluster-0:1.3.10-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-narayana-0:5.5.32-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-picketlink-bindings-0:2.5.5-13.SP12_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-picketlink-federation-0:2.5.5-13.SP12_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-resteasy-0:3.0.26-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-undertow-0:1.4.18-7.SP8_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-0:7.1.4-1.GA_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-javadocs-0:7.1.4-2.GA_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-naming-client-0:1.0.9-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-openssl-linux-0:1.0.6-14.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-transaction-client-0:1.0.4-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7", "package": "eap7-wildfly-web-console-eap-0:2.9.18-1.Final_redhat_1.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7", "release_date": "2018-08-15T00:00:00Z"}, {"advisory": "RHSA-2018:2428", "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.2", "package": "cxf", "product_name": "Red Hat Single Sign-On 7.2.4 zip", "release_date": "2018-08-15T00:00:00Z"}], "bugzilla": {"description": "cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services", "id": "1515976", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1515976"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property \"attachment-max-header-size\"."], "name": "CVE-2017-12624", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "cxf", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Will not fix", "package_name": "cxf", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:fuse_integration_services:2", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Fuse Integration Service 2"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Will not fix", "package_name": "cxf", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "cxf", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "cxf", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2017-11-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-12624\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-12624"], "threat_severity": "Moderate", "upstream_fix": "cxf 3.1.14, cxf 3.2.1"}