Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.
References
Configurations
Configuration 1 (hide)
|
History
15 Feb 2024, 20:22
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:cxf:2.1.7:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.2:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2.3:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.8:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.12:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.6:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2.4:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0:m1:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.3:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0:rc:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.9:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.6:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2.7:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.5:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.7:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.2:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.3:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.1:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2.2:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2.8:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.9:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.11:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2.6:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.2.1:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.1:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.5:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.10:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.4:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.1.4:*:*:*:*:*:*:* cpe:2.3:a:apache:cxf:2.0.8:*:*:*:*:*:*:* |
cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:* |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CWE | CWE-829 | |
References | (CONFIRM) http://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf - Exploit, Vendor Advisory | |
References | (MISC) https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E - Mailing List, Patch | |
References | (SECUNIA) http://secunia.com/advisories/41016 - Broken Link, Vendor Advisory | |
References | (MISC) https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E - Mailing List, Patch | |
References | (CONFIRM) http://geronimo.apache.org/21x-security-report.html - Release Notes, Vendor Advisory | |
References | (MLIST) http://www.listware.net/201006/cxf-users/60160-important-apache-cxf-security-advisory-cve-2010-2076.html - Broken Link | |
References | (CONFIRM) http://geronimo.apache.org/22x-security-report.html - Release Notes, Vendor Advisory | |
References | (CONFIRM) https://issues.apache.org/jira/browse/GERONIMO-5383 - Third Party Advisory | |
References | (MISC) https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E - Mailing List, Patch | |
References | (MISC) https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E - Mailing List, Patch | |
References | (MISC) https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E - Mailing List, Patch | |
References | (SECUNIA) http://secunia.com/advisories/40969 - Broken Link, Vendor Advisory | |
References | (MISC) https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E - Mailing List, Patch | |
References | (CONFIRM) http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html - Vendor Advisory | |
References | (SECUNIA) http://secunia.com/advisories/41025 - Broken Link, Vendor Advisory | |
References | (BID) http://www.securityfocus.com/bid/42492 - Broken Link, Third Party Advisory, VDB Entry |
14 Feb 2024, 01:17
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) http://www.listware.net/201006/cxf-users/60160-important-apache-cxf-security-advisory-cve-2010-2076.html - URL Repurposed |
Information
Published : 2010-08-19 18:00
Updated : 2024-02-28 11:41
NVD link : CVE-2010-2076
Mitre link : CVE-2010-2076
CVE.ORG link : CVE-2010-2076
JSON object : View
Products Affected
apache
- cxf
CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere