CVE-2024-41172

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:cxf::::::::
	cpe:2.3:a:apache:cxf::::::::

History

07 Aug 2024, 20:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.3~~	v2 : unknown v3 : 7.5
References	~~() https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6 -~~	() https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6 - Mailing List, Vendor Advisory
First Time		Apache Apache cxf
CPE		cpe:2.3:a:apache:cxf::::::::

01 Aug 2024, 13:58

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
Summary		(es) En las versiones de Apache CXF anteriores a 3.6.4 y 4.0.5 (las versiones 3.5.x y inferiores no se ven afectadas), un conducto de cliente HTTP de CXF puede impedir que las instancias de HTTPClient se recopilen como basura y es posible que el consumo de memoria continúe aumentando eventualmente causando que la aplicación se quede sin memoria.

19 Jul 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-19 09:15

Updated : 2024-08-07 20:16

NVD link : CVE-2024-41172

Mitre link : CVE-2024-41172

CVE.ORG link : CVE-2024-41172

JSON object : View

Products Affected

apache

cxf

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2024-41172", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-07-19T09:15:05.640", "references": [{"url": "https://lists.apache.org/thread/n2hvbrgwpdtcqdccod8by28ynnolybl6", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory\n"}, {"lang": "es", "value": "En las versiones de Apache CXF anteriores a 3.6.4 y 4.0.5 (las versiones 3.5.x y inferiores no se ven afectadas), un conducto de cliente HTTP de CXF puede impedir que las instancias de HTTPClient se recopilen como basura y es posible que el consumo de memoria contin\u00fae aumentando eventualmente causando que la aplicaci\u00f3n se quede sin memoria."}], "lastModified": "2024-08-07T20:16:45.237", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D6F6603-DD23-4DD5-8B90-0BAB0EB7E1D1", "versionEndExcluding": "3.6.4", "versionStartIncluding": "3.6.0"}, {"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACAFECF5-75A5-4397-A588-F51D09717335", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}