← Retour aux CVEs

CVE-2024-28752

CRITICAL

9.3

Description

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Details CVE

Score CVSS v3.19.3

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurREQUIRED

Publie3/15/2024

Derniere modification6/27/2025

Sourcenvd

Observations honeypot0

Produits affectes

apache:cxfnetapp:oncommand_workflow_automationnetapp:ontap_tools

Faiblesses (CWE)

CWE-918CWE-918

References

http://www.openwall.com/lists/oss-security/2024/03/14/3(security@apache.org)

https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt(security@apache.org)

https://security.netapp.com/advisory/ntap-20240517-0001/(security@apache.org)

http://www.openwall.com/lists/oss-security/2024/03/14/3(af854a3a-2127-422b-91ae-364da2661108)

https://cxf.apache.org/security-advisories.data/CVE-2024-28752.txt(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20240517-0001/(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.