org.apache.cxf:cxf-rt-transports-http@3.0.11 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.cxf:cxf-rt-transports-http package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Information Exposure

org.apache.cxf:cxf-rt-transports-http is an open source services framework.

Affected versions of this package are vulnerable to Information Exposure which allows an attacker to perform a remote directory listing or code exfiltration. Exploiting this vulnerability is possible when the CXF service is misconfigured.

NOTE The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes.

How to fix Information Exposure?

Upgrade org.apache.cxf:cxf-rt-transports-http to version 3.4.10, 3.5.5 or higher.

[,3.4.10) [3.5.0,3.5.5)
  • H
Cross-site Scripting (XSS)

org.apache.cxf:cxf-rt-transports-http is an open source services framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the /services page, via the styleSheetPath, which allows a malicious actor to inject Javascript into the web page. This is a separate issue to CVE-2019-17573.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.cxf:cxf-rt-transports-http to version 3.3.8, 3.4.1 or higher.

[,3.3.8) [3.4.0,3.4.1)
  • M
Cross-site Scripting (XSS)

org.apache.cxf:cxf-rt-transports-http is an open source services framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.cxf:cxf-rt-transports-http to version 3.2.12, 3.3.5 or higher.

[,3.2.12) [3.3.0,3.3.5)
  • H
Man-in-the-Middle (MitM)

org.apache.cxf:cxf-rt-transports-http is an open source services framework.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). When configuring CXF to use the com.sun.net.ssl implementation via:

System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");

It attempts to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface, but the default HostnameVerifier implementation in CXF does not implement the method in this interface which caused an exception is thrown. This exception caught in the reflection code and not properly propagated. Thus the TLS hostname verification error will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

How to fix Man-in-the-Middle (MitM)?

Upgrade org.apache.cxf:cxf-rt-transports-http to version 3.1.16, 3.2.6 or higher.

[,3.1.16) [3.2.0,3.2.6)
  • M
Cross-site Scripting (XSS)

org.apache.cxf:cxf-rt-transports-http is an open source services framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Apache CXF HTTP transport module uses FormattedServiceListWriter to provide an HTML page which lists the names and the absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.cxf:cxf-rt-transports-http to version 3.0.12, 3.1.9 or higher.

[,3.0.12) [3.1.0,3.1.9)