What is CVE-2024-28752?

CVE-2024-28752 is a vulnerability in Apache Software Foundation Cxf, classified under Server-Side Request Forgery (SSRF). Published 2024-03-15.

Is CVE-2024-28752 known to be exploited?

12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SSRF in Apache Software Foundation Cxf

CVE-2024-28752

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bind…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.508 (97.9th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Cxf — versions 0

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

Public proof-of-concept exploits

ReaJason/CVE-2024-28752
PuddinCat/GithubRepoSpider
Threekiii/Awesome-POC
Threekiii/CVE
Wala-Alnozmai/SVD-Benchmark
liuyu771/GithubRepoSpider
J1ezds/Vulnerability-Wiki-page
oananbeh/LLM-Java-SVR-Benchmark
plzheheplztrying/cve_
tanjiti/sec_

References

cxf.apache.org/security-advisories.data/CVE-2024-28752.txt (vendor-advisory)
www.openwall.com/lists/oss-security/2024/03/14/3
security.netapp.com/advisory/ntap-20240517-0001/

Frequently asked questions

What is CVE-2024-28752?: CVE-2024-28752 is a vulnerability in Apache Software Foundation Cxf, classified under Server-Side Request Forgery (SSRF). Published 2024-03-15.
Is CVE-2024-28752 known to be exploited?: 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.