CVE-2021-30468

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 16-06-2021 02:15

Last modified: - 25-04-2022 09:51

Total changes: - 13

Description

A vulnerability in the JsonMapObjectReaderWriter of Apache CXF allows an attacker to submit malformed JSON to a web service, which results in the thread getting stuck in an infinite loop, consuming CPU indefinitely. This issue affects Apache CXF versions prior to 3.4.4; Apache CXF versions prior to 3.3.11.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

None

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=apache AND product=cxf AND versionEndExcluding=3.3.11

vendor=apache AND product=cxf AND versionStartIncluding=3.4.0 AND versionEndExcluding=3.4.4

vendor=apache AND product=tomee AND version=8.0.6

vendor=oracle AND product=business_intelligence AND version=5.5.0.0.0 AND software_edition=enterprise

vendor=oracle AND product=business_intelligence AND version=5.9.0.0.0 AND software_edition=enterprise

vendor=oracle AND product=business_intelligence AND version=12.2.1.3.0 AND software_edition=enterprise

vendor=oracle AND product=business_intelligence AND version=12.2.1.4.0 AND software_edition=enterprise

vendor=oracle AND product=communications_element_manager AND version=8.2.2

vendor=oracle AND product=communications_messaging_server AND version=8.1

Reference

N/A-Vendor Advisory
[cxf-dev] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter-Mailing List, Vendor Advisory
[cxf-users] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter-Mailing List, Vendor Advisory
[announce] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter-Mailing List, Vendor Advisory
[oss-security] 20210616 CVE-2021-30468: Apache CXF Denial of service vulnerability in parsing JSON via JsonMapObjectReaderWriter-Mailing List, Third Party Advisory
[tomee-commits] 20210705 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF-Mailing List, Vendor Advisory
[tomee-commits] 20210705 [jira] [Created] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF-Mailing List, Vendor Advisory
[tomee-commits] 20210901 [jira] [Resolved] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF-Mailing List, Vendor Advisory
[tomee-commits] 20210901 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF-Mailing List, Vendor Advisory
[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF-Mailing List, Vendor Advisory
[tomee-commits] 20210913 [jira] [Updated] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF-Mailing List, Vendor Advisory
[tomee-commits] 20210913 [jira] [Reopened] (TOMEE-3768) TomEE plus is affected by CVE-CVE-2021-30468 vulnerability related to Apache CXF-Mailing List, Vendor Advisory
https://security.netapp.com/advisory/ntap-20210917-0002/
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2021-30468

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-30468

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures