Apache Kerby™ is a Java Kerberos binding. It provides a rich,
intuitive and interoperable implementation, library, KDC and various
facilities that integrates PKI, OTP and token (OAuth2) as desired in
modern environments such as cloud, Hadoop and mobile.
Apache Kerby 2.1.0 is released and is availa
CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE
Severity: moderate
Affected versions:
- Apache CXF before 4.0.5, 3.6.4, 3.5.9
Description:
An improper input validation of the p2c parameter in the Apache CXF
JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perfor
CVE-2024-41172: Unrestricted memory consumption in CXF HTTP clients
Severity: low
Affected versions:
- Apache CXF 3.6.0, 4.0.0 before 3.6.4, 4.0.5
Description:
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower
versions are not impacted), a CXF HTTP client conduit may prevent
HT
CVE-2024-29736: SSRF vulnerability via WADL stylesheet parameter
Severity: important
Affected versions:
- Apache CXF before 3.5.9, 3.6.4, 4.0.5
Description:
A SSRF vulnerability in WADL service description in versions of Apache
CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SS
Severity: important
Affected versions:
- Apache CXF before 4.0.4, 3.6.3, 3.5.8
Description:
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF
before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks
on webservices that take at least one parameter
Severity: moderate
Affected versions:
- Apache Santuario before < 2.2.6
- Apache Santuario before < 2.3.4
- Apache Santuario before < 3.0.3
Description:
All versions of Apache Santuario - XML Security for Java prior to
2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to
an
Description:
An LDAP Injection vulnerability exists in the LdapIdentityBackend of
Apache Kerby before 2.0.3.
Credit:
4ra1n of Chaitin Tech (finder)
References:
https://directory.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-25613
CVE-2022-46364: Apache CXF SSRF Vulnerability
Severity: important
Description:
A SSRF vulnerability in parsing the href attribute of XOP:Include in
MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows
an attacker to perform SSRF style attacks on webservices that take at
least o
Severity: moderate
Description:
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows
an attacker to perform a remote directory listing or code
exfiltration. The vulnerability only applies when the CXFServlet is
configured with both the static-resources-list and
redirect-query-che
The Apache Santuario™ project is aimed at providing implementation of
the primary security standards for XML:
- XML-Signature Syntax and Processing
- XML Encryption Syntax and Processing.
A new CVE is released for Apache Santuario - XML Security for Java,
which is fixed in the latest 2.2.
A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows
an attacker to submit malformed JSON to a web service, which results
in the thread getting stuck in an infinite loop, consuming CPU
indefinitely.
This issue affects Apache CXF versions prior to 3.4.4; Apache CXF
versions prior t
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via
a JWT token as opposed to query parameters (see: The OAuth 2.0
Authorization Framework: JWT Secured Authorization Request (JAR)).
Instead of sending a JWT token as a "request" parameter, the spec also
supports specifying a URI f
Description:
By default, Apache CXF creates a /services page containing a listing of the
available endpoint names and addresses. This webpage is vulnerable to a
reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which
allows a malicious actor to inject javascript into the web page
Apache CXF Fediz 1.5.0 is released. Apache CXF Fediz is a subproject of
CXF, which helps you to secure your web applications and delegates security
enforcement to the underlying application server.
This is a major new release with the following issues fixed:
https://issues.apache.org/jira/secure/R
or 3.2.13. Alternatively, set the
createMBServerConnectorFactory
property to false and use the default JVM JMX remote capabilities instead.
From
CXF 3.4.0, the createMBServerConnectorFactory property will be removed
altogether.
Credit:
Jonathan Gallimore, Tomitribe and Colm O hEigeartaigh, Talend.
Refer
CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns
private/secret credentials if configured with a jwk keystore
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
This vulnerability affects all versions of Apache CXF prior to 3.3.5 and
3.2.12.
Descript
CVE-2019-17573: Apache CXF Reflected XSS in the services listing page
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
This vulnerability affects all versions of Apache CXF prior to 3.3.5 and
3.2.12.
Description:
By default, Apache CXF creates a /services page cont
[CVEID]:CVE-2019-12406
[PRODUCT]:Apache CXF
[VERSION]:Apache CXF versions before 3.3.4 and 3.2.11
[PROBLEMTYPE]:Denial of Service
[REFERENCES]:
http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc
[DESCRIPTION]:Apache CXF does not restrict the number of message
attachments present
[CVEID]:CVE-2019-12419
[PRODUCT]:Apache CXF
[VERSION]:Apache CXF versions before 3.3.4 and 3.2.11
[PROBLEMTYPE]:Apache CXF OpenId Connect token service does not properly
validate the clientId
[REFERENCES]:
http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc
[DESCRIPTION]:Apache CX
antuario - XML Security for
Java, leading to
potential security flaws when validating signed documents,
etc.
For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html
--
Colm O hEigeartaigh
Talend Community Co
release!
Best Regards,
The Apache Directory Team
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
vulnerable to DTD based XML attacks
The advisory text is available at this location:
http://cxf.apache.org/security-advisories.data/CVE-2018-8038.txt.asc
Please also refer to the CXF security advisories page:
http://cxf.apache.org/security-advisories.html
--
Colm O hEigeartaigh
Talend Community Coder
&modificationDate=1530184663000&api=v2
Please also refer to the CXF security advisories page:
http://cxf.apache.org/security-advisories.html
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
or JBI.
The Apache CXF team is proud to announce the release of Apache CXF 3.1.15.
This is a patch release where 57 JIRA items were resolved.
To download Apache CXF 3.1.15 please go to:
http://cxf.apache.org/download.html
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
vulnerabilities in the Apache CXF Fediz Spring plugins.
http://cxf.apache.org/security-advisories.data/CVE-2017-12631.txt.asc
Users who are using the Spring security plugins of Apache CXF Fediz should
upgrade immediately to the latest releases.
Colm.
--
Colm O hEigeartaigh
Talend Community
3.1.x or 3.2.x.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
environments
such as cloud, Hadoop and mobile.
This is a new major release of Apache Kerby, which implements cross-realm
support, and also includes a GSSAPI module.
http://directory.apache.org/kerby/
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
to download the release:
http://santuario.apache.org/
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
O hEigeartaigh
Talend Community Coder
http://coders.talend.com
/directory-kerby.git
Github site: https://github.com/apache/directory-kerby
Umbrella JIRA: https://issues.apache.org/jira/browse/DIRKRB-102
Thanks to everyone who contributed to the release!
Best Regards,
The Apache Directory Team
--
Colm O hEigeartaigh
Talend Community Coder
http
32 matches
Mail list logo
