CVE-2024-28752

SSRF vulnerability using the Aegis DataBinding in Apache CXF

Description

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Patch Available

Fix available through Seal Security.  
No upgrade required, protect your application instantly.

Fix without upgrading

Score

9.3

Severity

Critical

Ecosystem

Java

Publish Date

March 15, 2024

Modified Date

February 3, 2026

Score Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Affected Versions