Skip to content

Apache CXF allows unrestricted memory consumption in CXF HTTP clients

Low severity GitHub Reviewed Published Jul 19, 2024 to the GitHub Advisory Database • Updated Aug 8, 2024

Package

maven org.apache.cxf:cxf-rt-transports-http (Maven)

Affected versions

>= 4.0.0, < 4.0.5
>= 3.6.0, < 3.6.4

Patched versions

4.0.5
3.6.4

Description

In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory

References

Published by the National Vulnerability Database Jul 19, 2024
Published to the GitHub Advisory Database Jul 19, 2024
Reviewed Jul 19, 2024
Last updated Aug 8, 2024

Severity

Low

EPSS score

0.088%
(39th percentile)

Weaknesses

CVE ID

CVE-2024-41172

GHSA ID

GHSA-4mgg-fqfq-64hg

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.