Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8328

CVE-2019-12406 not fixed in 3.1 branch

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.1.18
    • None
    • Core
    • Unknown

    Description

      CVE-2019-12406 is currently the only open relevant Cybersecurity issue in TomEE 7.x (see TOMEE-2876) according to known vulnerability database.

      TomEE 7.x is claiming to be a stable supported version. But it depends on CXF 3.1, which has at least the vulnerability reported in CVE-2019-12406.

      As I understood, it can't be fixed in TomEE without following the API change of CXF 3.2, which the TomEE team is reluctant to do.

      From the distant perspective, a backport to CXF 3.1 of the attachment-max-count feature doesn't look complicated.

      Attachments

        Issue Links

        blocks

        Dependency upgrade - Upgrading a dependency to a newer version TOMEE-2876 Fix cxf CVE issues

        • Major - Major loss of function.
        • Resolved

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            robert.schaft Robert Schaft
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Slack

                Issue deployment