Primary

Context

Apache CXF JMS Configuration Vulnerability Leading to Remote Code Execution

Vulnerability

Patched

A vulnerability exists in Apache CXF versions 4.1.0 prior to 4.1.3, 4.0.0 prior to 4.0.9, and versions prior to 3.6.8, allowing untrusted users to configure Java Message Service (JMS) with Remote Method Invocation (RMI) or Lightweight Directory Access Protocol (LDAP) URLs. This could have led to remote code execution. The interface has been updated to reject these protocols, mitigating the risk. Users are advised to upgrade to Apache CXF 3.6.8, 4.0.9, or 4.1.3.

Impact

Exploitation of this vulnerability could have allowed for remote code execution on the server where Apache CXF is running.

Remediation

Users should upgrade to Apache CXF versions 3.6.8, 4.0.9, or 4.1.3.

Added: Aug 8, 2025, 10:18 AM

Updated: Aug 8, 2025, 10:18 AM

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

10.0

exploitability

3.3

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.4

impact

10.0

exploitability

3.3

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache CXF JMS Configuration Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Apache CXF

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating