-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2019-12406: Apache CXF does not restrict the number of message attachments

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.4 and
3.2.11.

Description:

Apache CXF does not restrict the number of message attachments present in a 
given message. This leaves open the possibility of a denial of service type
attack, where a malicious user crafts a message containing a very large number
of message attachments.

- From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments
is enforced. This is configurable via the message property
"attachment-max-count".

Mitigation:

Users of Apache CXF should update to either the 3.3.4 or 3.2.11 releases.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl3Ba6UACgkQZ7+AsQrV
OYNrjwgArmMQngqtWNTL0oWjuB3GU2yd/sZQnIulwEt2is4+3wtE71gDmDc/4oBt
GyiQedAoj8Bpop+/3mqfJ4khXUkQR9KnF5px7lfAW3cRmleCekOwrZ+GLM+i6i7J
fgmGdRoV0eo4uVL+evUejA6cGBcs03xmtRUmWrnWccZakYmQ8pXJeqXOExdcyQbO
Ec5eBNbRpcyWlzPUno0xebuIU/jwWfJ5r+aX7Xz8CILuZ5+Eh9vK8Qo7Boy9GKzR
Vqp90wih5LGTGuGrhcN0l8w75DZr1fZG51a4LwQT2MVx04xfkf9HI6M1M1hmhpVw
hZSmpDgX5c5Iex5M5mYrbz8pz7x//w==
=JpOu
-----END PGP SIGNATURE-----