Bug 2270732 (CVE-2024-28752)
| Summary: | CVE-2024-28752 cxf-core: Apache CXF SSRF Vulnerability using the Aegis databinding | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, cmiranda, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, ecerquei, fjuma, fmariani, fmongiar, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jcantril, jkoops, jnethert, jpoth, jrokos, jscholz, kverlaen, lgao, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pcongius, pdelbell, pdrozd, peholase, pesilva, pjindal, pmackay, pskopek, rguimara, rmartinc, rojacob, rowaters, rstancel, rstepani, smaestri, sthorger, swoodman, tcunning, tom.jenkinson, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cxf-core 3.5.8, cxf-core 3.6.3, cxf-core 4.0.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A server-side request forgery (SSRF) vulnerability was found in Apache CXF. This issue occurs in attacks on webservices that take at least one parameter of any type, and when Aegisdatabind is used. Users of other data bindings including the default databinding are not impacted.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2270719 | ||
|
Description
Patrick Del Bello
2024-03-21 15:15:01 UTC
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:3559 https://access.redhat.com/errata/RHSA-2024:3559 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:3561 https://access.redhat.com/errata/RHSA-2024:3561 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:3560 https://access.redhat.com/errata/RHSA-2024:3560 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:3563 https://access.redhat.com/errata/RHSA-2024:3563 This issue has been addressed in the following products: Red Hat build of Apache Camel 3.20.6 for Spring Boot Via RHSA-2024:3708 https://access.redhat.com/errata/RHSA-2024:3708 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:5482 https://access.redhat.com/errata/RHSA-2024:5482 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Via RHSA-2024:5479 https://access.redhat.com/errata/RHSA-2024:5479 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2024:5481 https://access.redhat.com/errata/RHSA-2024:5481 This issue has been addressed in the following products: RHINT Camel-K 1.10.8 Via RHSA-2024:8339 https://access.redhat.com/errata/RHSA-2024:8339 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2024:10208 https://access.redhat.com/errata/RHSA-2024:10208 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2024:10207 https://access.redhat.com/errata/RHSA-2024:10207 |