CVE-2014-3584

Apache CXF < 2.6.11, 2.7.x < 2.7.8, 3.0.x < 3.0.1 - Denial of Service via Crafted SAML Token

Title source: llm
STIX 2.1

Description

The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

References (11)

Core 11
Core References
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/437
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/70738
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61909
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/97753

Scores

EPSS 0.0559
EPSS Percentile 90.4%

Details

CWE
CWE-399
Status published
Products (12)
apache/cxf 2.6.1
apache/cxf 2.7.0
apache/cxf 2.7.1
apache/cxf 2.7.2
apache/cxf 2.7.3
apache/cxf 2.7.4
apache/cxf 2.7.5
apache/cxf 2.7.6
apache/cxf 2.7.7
apache/cxf 3.0.0
... and 2 more
Published Oct 30, 2014
Tracked Since Feb 18, 2026