CVE-2014-3584 — Loop with Unreachable Exit Condition in Apache CXF

Description

The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

How to fix CVE-2014-3584

To remediate CVE-2014-3584, upgrade the affected package to a fixed version below.

Maven/org.apache.cxf:cxf-rt-frontend-jaxrs—upgrade to 2.6.11 or later

Is CVE-2014-3584 being exploited?

Moderate — EPSS is 5.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.5.0, < 2.6.11

References (14)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3584
WEBcxf.apache.org/security-advisories.data/CVE-2014-3584.txt.asc
WEBseclists.org/oss-sec/2014/q4/437
WEBexchange.xforce.ibmcloud.com/vulnerabilities/97753
WEB