← Voltar para CVEs
CVE-2026-42402
HIGH7.5
Descricao
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion. Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
Detalhes CVE
Pontuacao CVSS v3.17.5
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado5/1/2026
Ultima modificacao5/1/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
apache:neethi
Fraquezas (CWE)
CWE-400
Referencias
https://lists.apache.org/thread/p826j0phhmr9f83wzpmys1y0bdfrr2q4(security@apache.org)
http://www.openwall.com/lists/oss-security/2026/05/01/6(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.