-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.cxf:cxf-rt-transports-jms | maven | < 3.6.8 | 3.6.8 |
| org.apache.cxf:cxf-rt-transports-jms | maven | >= 4.0.0, < 4.0.9 | 4.0.9 |
| org.apache.cxf:cxf-rt-transports-jms | maven | >= 4.1.0, < 4.1.3 | 4.1.3 |
Miggo AIRoot Cause AnalysisThe vulnerability exists in the org.apache.cxf.transport.jms.util.JndiHelper class, specifically within its constructor. The root cause is improper input validation of the JNDI provider URL. The application fails to restrict the use of potentially dangerous protocols like LDAP and RMI within the JNDI configuration. An attacker with the ability to influence the JMS configuration could set the java.naming.provider.url property to a malicious LDAP or RMI endpoint. When the JndiHelper class is instantiated (for example, during the creation of a JMS connection factory), the constructor would process this URL, leading to a JNDI lookup to the attacker-controlled server. This could result in the loading and execution of arbitrary code on the server running the Apache CXF application.
The provided patch directly addresses this issue by adding a validation step inside the JndiHelper constructor. It inspects the provider URL and throws an IllegalArgumentException if it starts with 'ldap://' or 'rmi://', effectively preventing the exploit. The associated test case confirms that attempting to use these forbidden protocols now results in a controlled exception, rather than an unsafe JNDI operation.
Ongoing coverage of React2Shell