Apache CXF JOSE Vulnerability: Denial of Service Attack via Improper Input Validation

CVE-2024-32007

7.5HIGH

Key Information

Vendor
Apache
Status
Apache Cxf
Vendor
CVE Published:
19 July 2024

Summary

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. 

Affected Version(s)

Apache CXF < 4.0.5, 3.6.4, 3.5.9

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab.
.