Vulnerability Description
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cxf | < 3.2.11 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Retail Order Broker | 15.0 |
Related Weaknesses (CWE)
References
- http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.ascVendor Advisory
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de10
- https://lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace9899
- https://lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89be
- https://lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddf
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b
- https://lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fd
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba7
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a7
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatchThird Party Advisory
- http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.ascVendor Advisory
FAQ
What is CVE-2019-12406?
CVE-2019-12406 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a maliciou...
How severe is CVE-2019-12406?
CVE-2019-12406 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12406?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cxf, Oracle Commerce Guided Search, Oracle Flexcube Private Banking, Oracle Retail Order Broker.