Security Issue: CVE-2024-28752 - Apache CXF

Issue

  • Security vulnerability CVE-2024-28752 details a SSRF vulnerability with the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3, and 3.5.8, which would allow an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
  • These details are from: https://nvd.nist.gov/vuln/detail/CVE-2024-28752

 

Environment

  • Liferay DXP 7.4

Resolution

  • This issue affects users using the Aegis DataBinding. However, Liferay does not use org.apache.cxf:cxf-rt-databinding-aegis, so this vulnerability does not affect Liferay. More specifically, Liferay only uses cxf-rt-databinding-jaxb


Additional Information

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 1 de 1