CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-28752

CVSS 9.3v3.1pub. 2024-03-15upd. 2025-06-27

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
  • Apache Cxf

    APP
    Apache
    < 3.5.83.6.0 – 3.6.3 (bez)4.0.0 – 4.0.4 (bez)
  • Netapp Oncommand Workflow Automation

    APP
    Netapp
    wszystkie wersje
  • Netapp Ontap Tools

    APP
    Netapp
    10
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2021-44228CRITICAL10.0⚠ KEVten sam produkt

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...

CVE-2016-3427CRITICAL9.8⚠ KEVten sam produkt

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 ...

CVE-2026-49875CRITICAL9.8PL ✓ten sam produkt

Apache CXF: podatność XXE w EndpointReferenceUtils i W3CMultiSchemaFactory

CVE-2026-50627CRITICAL9.1PL ✓ten sam produkt

Apache CXF: brak weryfikacji pola 'aud' w tokenach JWT (Token Confusion)

CVE-2026-50628CRITICAL9.8PL ✓ten sam produkt

Apache CXF: błąd logiki w OAuthRequestFilter odwraca weryfikację IP