org.apache.cxf:cxf-core 4.1.6

Direct Vulnerabilities

Known vulnerabilities in the org.apache.cxf:cxf-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H XML External Entity (XXE) Injection org.apache.cxf:cxf-core is an an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper configuration of the `SAXParserFactory` in the `EndpointReferenceUtils` and `W3CMultiSchemaFactory` classes. An attacker can access sensitive files or interact with internal systems by submitting specially crafted XML data containing external entities. How to fix XML External Entity (XXE) Injection? Upgrade `org.apache.cxf:cxf-core` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)
H Allocation of Resources Without Limits or Throttling org.apache.cxf:cxf-core is an an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of restriction on the number of attachment headers during message deserialization. An attacker can exhaust system resources and cause service disruption by sending messages with an excessive number of attachment headers. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.cxf:cxf-core` to version 4.1.7, 4.2.2 or higher.	[,4.1.7)[4.2.0,4.2.2)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

org.apache.cxf:cxf-core is an an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection due to improper configuration of the SAXParserFactory in the EndpointReferenceUtils and W3CMultiSchemaFactory classes. An attacker can access sensitive files or interact with internal systems by submitting specially crafted XML data containing external entities.

How to fix XML External Entity (XXE) Injection?

Upgrade org.apache.cxf:cxf-core to version 4.1.7, 4.2.2 or higher.

[,4.1.7)[4.2.0,4.2.2)

Allocation of Resources Without Limits or Throttling

org.apache.cxf:cxf-core is an an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of restriction on the number of attachment headers during message deserialization. An attacker can exhaust system resources and cause service disruption by sending messages with an excessive number of attachment headers.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.cxf:cxf-core to version 4.1.7, 4.2.2 or higher.

[,4.1.7)[4.2.0,4.2.2)

org.apache.cxf:cxf-core@4.1.6

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically