CVE-2024-32007: Apache CXF Denial of Service vulnerability in JOSE

Severity: moderate

Affected versions:

- Apache CXF before 4.0.5, 3.6.4, 3.5.9

Description:

An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.

Credit:

Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab. (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-32007