Vulnerability in Apache Cxf
CVE-2014-3584
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX…
EPSS: 0.056 (90.5th percentile) — read the EPSS interpretation.
Affected products
- Apache Cxf — versions 2.6.1, 2.7.0, 2.7.1
- N/a — versions n/a
Weakness classification (CWE)
Public proof-of-concept exploits
References
- [oss-security] 20141024 New security advisories released for Apache CXF (mailing-list, x_refsource_MLIST)
- 61909 (x_refsource_SECUNIA, third-party-advisory)
- 70738 (vdb-entry, x_refsource_BID)
- apache-cxf-cve20143584-dos(97753) (vdb-entry, x_refsource_XF)
- secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
- [cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
- [cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
- [cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
- [cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
- [cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2014-3584?
- CVE-2014-3584 is a vulnerability in Apache Cxf, classified under CWE-399. Published 2014-10-30.
- Is CVE-2014-3584 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.