CVE-2017-12624

MEDIUM

Apache CXF 3.0.0-3.0.15, 3.1.0-3.1.13, 3.2.0 - Denial of Service via Large Message Attachment Header

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-12624. PoCs published by tafamace.

AI-analyzed exploit summary The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality related to CVE-2017-12624. It lacks offensive techniques or vulnerability exploitation logic.

Description

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Exploits (1)

nomisec STUB

by tafamace · poc

https://github.com/tafamace/CVE-2017-12624

View Code ZIP pw:eip

The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality related to CVE-2017-12624. It lacks offensive techniques or vulnerability exploitation logic.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: N/A

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (13)

Core 13

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2428

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1040486

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2424

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2423

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2018:2425

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/101859

Issue Tracking, Vendor Advisory x_refsource_confirm

http://cxf.apache.org/security-advisories.data/CVE-2017-12624.txt.asc

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Scores

CVSS v3 5.5

EPSS 0.0357

EPSS Percentile 88.0%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

Status published

Products (4)

apache/cxf 3.0.0 - 3.0.16

Apache Software Foundation/Apache CXF 3.2.x prior to 3.2.1

Apache Software Foundation/Apache CXF prior to 3.1.14

org.apache.cxf/cxf-core 3.2.0 - 3.2.1Maven

Published Nov 14, 2017

Tracked Since Feb 18, 2026