=====================================================================

                              CERT-Renater

                   Note d'Information No. 2024/VULN135
_____________________________________________________________________

DATE                : 21/03/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache CXF versions prior
                              to 4.0.4, 3.6.3, 3.5.8.

=====================================================================
https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt
_____________________________________________________________________

CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis
databinding
Severity: important

Affected versions:

- Apache CXF before 4.0.4, 3.6.3, 3.5.8

Description:

A SSRF vulnerability using the Aegis DataBinding in versions of Apache
CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF
style attacks on webservices that take at least one parameter of any
type. Users of other data bindings (including the default databinding)
are not impacted.


Credit:

Tobias S. Fink (finder)


References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-28752


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================