CVE-2017-12624

medium

Apache

CVSS v3 Base Score

5.5

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS Score

3.6%

Exploitation probability in 30 days

Top 12% most likely to be exploited

Attack Characteristics

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Confidentiality

None

Integrity

None

Availability

High

Published: November 14, 2017 (3103 days ago)

Last Modified: May 13, 2026

Vendor: Apache

Source: NVD

Description

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

CWE

NVD-CWE-noinfo

Affected Products

apache cxf

References

🔗 cxf.apache.org 🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 access.redhat.com 🔗 access.redhat.com

CVE-2017-12624

Vulnerability Report

Description

CWE

Affected Products

References