Apache CXF's EndpointReferenceUtils and W3CMultiSchemaFactory classes construct a SAXParserFactory without the necessary JAXP hardening configurations, enabling out-of-band (OOB) external entity resolution. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue.
The EndpointReferenceUtils and W3CMultiSchemaFactory classes initialize SAXParserFactory without the necessary JAXP (Java API for XML Processing) hardening configurations. As a result, the XML parser does not block out-of-band (OOB) external entity resolution. An attacker can submit a specially crafted XML document containing a reference to an external resource, which will be automatically retrieved by the server processing the request.
An attacker can read arbitrary files from the server's file system, gain access to internal network resources (SSRF), and potentially affect the integrity and availability of the system, which corresponds to a complete breach of confidentiality, integrity, and availability (CVSS C:H/I:H/A:H).
Apache CXF should be updated to version 4.2.2 or 4.1.7, which contain a patch eliminating the vulnerability. Details are available in the vendor references.
Apache CXF in versions prior to 4.2.2 and 4.1.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Cxf
APPApache< 4.1.74.2.0 – 4.2.2 (bez)
Related vulnerabilities
Apache CXF: brak weryfikacji pola 'aud' w tokenach JWT (Token Confusion)
Apache CXF: błąd logiki w OAuthRequestFilter odwraca weryfikację IP
An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow ...
Apache CXF: RCE przez złośliwe URL w konfiguracji JMS
SSRF w opisie usług WADL w Apache CXF