CVE-2024-41172
Apache CXF allows unrestricted memory consumption in CXF HTTP clients
3.7
LOW
CVSS 3.1
EPSS 1.2%
Description
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory
How to fix CVE-2024-41172
To remediate CVE-2024-41172, upgrade the affected package to a fixed version below.
- —upgrade to 4.0.5 or later
Is CVE-2024-41172 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.0.0, < 4.0.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | LOW3.7 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |