Platform
java
Component
org.apache.cxf:cxf-rt-databinding-aegis
Fixed in
4.0.4, 3.6.3, 3.5.8
3.5.8
CVE-2024-28752 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Apache CXF's Aegis DataBinding. This flaw allows attackers to initiate unauthorized requests to internal or external resources, potentially exposing sensitive data or enabling further attacks. The vulnerability affects versions of Apache CXF prior to 4.0.4, 3.6.3, and 3.5.8. A fix is available in version 3.5.8.
The SSRF vulnerability in Apache CXF allows an attacker to craft malicious requests that appear to originate from the server itself. This can be leveraged to access internal services that are not directly exposed to the internet, such as databases, administrative interfaces, or other sensitive resources. An attacker could potentially read sensitive data, modify configurations, or even gain a foothold within the internal network. The impact is particularly severe if the affected CXF instance is used to process data from untrusted sources, as this increases the likelihood of malicious requests being injected. This vulnerability shares similarities with other SSRF exploits where attackers leverage internal network access to map the network and identify valuable targets.
CVE-2024-28752 was publicly disclosed on March 15, 2024. The vulnerability has a CVSS score of 9.3 (CRITICAL), indicating a high probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the SSRF nature of the vulnerability makes it likely that exploits will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.59% (69% percentile)
CVSS Vector
The primary mitigation for CVE-2024-28752 is to upgrade Apache CXF to version 3.5.8 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access for the CXF instance using a firewall or proxy. Additionally, carefully validate and sanitize all input data to prevent attackers from injecting malicious URLs. Web Application Firewalls (WAFs) configured to detect and block SSRF attempts can provide an additional layer of defense. Monitor CXF logs for unusual outbound requests that may indicate exploitation.
Update Apache CXF to version 4.0.4, 3.6.3 or 3.5.8 or later. This corrects the SSRF vulnerability in the Aegis data binding. If you cannot update immediately, consider disabling or avoiding the use of the Aegis data binding.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-28752 is a critical SSRF vulnerability affecting Apache CXF versions up to 3.5.7, allowing attackers to make unauthorized requests through the Aegis DataBinding.
You are affected if you are using Apache CXF versions 3.5.7 or earlier and utilizing the Aegis DataBinding for data processing.
Upgrade Apache CXF to version 3.5.8 or later to resolve the SSRF vulnerability. Consider temporary workarounds like restricting outbound network access if immediate upgrade is not possible.
While no public exploits are currently available, the SSRF nature of the vulnerability suggests a high likelihood of exploitation in the near future.
Refer to the Apache CXF security page for the latest information and advisory regarding CVE-2024-28752: https://cxf.apache.org/security-advisories.html
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.