CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-29736

CVSS 9.1v3.1pub. 2024-07-19upd. 2024-11-21

A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Apache Cxf

    APP
    Apache
    < 3.5.93.6.0 – 3.6.4 (bez)4.0.0 – 4.0.5 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2026-49875CRITICAL9.8PL ✓ten sam produkt

Apache CXF: podatność XXE w EndpointReferenceUtils i W3CMultiSchemaFactory

CVE-2026-50628CRITICAL9.8PL ✓ten sam produkt

Apache CXF: błąd logiki w OAuthRequestFilter odwraca weryfikację IP

CVE-2026-50627CRITICAL9.1PL ✓ten sam produkt

Apache CXF: brak weryfikacji pola 'aud' w tokenach JWT (Token Confusion)

CVE-2026-44930CRITICAL9.8ten sam produkt

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow ...

CVE-2025-48913CRITICAL9.8PL ✓ten sam produkt

Apache CXF: RCE przez złośliwe URL w konfiguracji JMS