CVE-2024-28752

CVE-2024-28752: Apache CXF SSRF Vulnerability using the Aegis databinding

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-918 · SSRF

Published March 15, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Key dates

Disclosure timeline

March 15, 2024 CVE published

February 13, 2025 Record updated