Issue
- Security vulnerability CVE-2024-28752 details a SSRF vulnerability with the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3, and 3.5.8, which would allow an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
- These details are from: https://nvd.nist.gov/vuln/detail/CVE-2024-28752
Environment
- Liferay DXP 7.4
Resolution
- This issue affects users using the Aegis DataBinding. However, Liferay does not use
org.apache.cxf:cxf-rt-databinding-aegis, so this vulnerability does not affect Liferay. More specifically, Liferay only usescxf-rt-databinding-jaxb
Additional Information
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In