← Back

CVE-2010-2076

nvd nist
Published: Aug 19, 2010Modified: Apr 29, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to samples/wsdl_first_pure_xml, a similar issue to CVE-2010-1632.

Affected (3)

Products: Apache: Cxf
Apache
1 product
Cxf
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Apache
Cxf
From 2.0.6 to 2.0.13
Cxf
From 2.1 to 2.1.10
Cxf
From 2.2.0 to 2.2.9

Related CWEs

CWE-829
Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

References (32)

Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Release NotesVendor Advisory
Source: secalert@redhat.com
Release NotesVendor Advisory
Source: secalert@redhat.com
Broken LinkVendor Advisory
Source: secalert@redhat.com
Broken LinkVendor Advisory
Source: secalert@redhat.com
Broken LinkVendor Advisory
Source: secalert@redhat.com
ExploitVendor Advisory
Source: secalert@redhat.com
Broken Link
Source: secalert@redhat.com
Broken LinkThird Party AdvisoryVDB Entry
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Mailing ListPatch
Source: secalert@redhat.com
Mailing ListPatch
Source: secalert@redhat.com
Mailing ListPatch
Source: secalert@redhat.com
Mailing ListPatch
Source: secalert@redhat.com
Mailing ListPatch
Source: secalert@redhat.com
Mailing ListPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatch
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListPatch

Timeline

No history available yet.