Bug 2380189 (CVE-2025-48795)
| Summary: | CVE-2025-48795 org.apache.cxf/cxf: Apache CXF denial of service and data exposure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, darran.lofthouse, dkreling, dosoudil, fjuma, istudens, ivassile, iweiss, lgao, mosmerov, msochure, msvehla, nwallace, pesilva, pjindal, pmackay, rstancel, smaestri, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A log processing flaw was found in Apache CXF. Large stream-based messages are stored as temporary files on the local file system, read into memory, and then logged. This flaw allows an attacker to cause a denial of service attack by triggering an out-of-memory exception. Additionally, it is possible to configure CXF to encrypt temporary files, preventing sensitive credentials from being cached unencrypted on the local filesystem. However, this bug means that the cached files are written out to logs unencrypted.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2025-07-15 15:01:38 UTC
|