*Title: * [CVE-2024-29736] CWE-918: Server-Side Request Forgery (SSRF) (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2024-29736?component-type=maven&component-name=org.apache.cxf%2Fcxf-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.1.1
Description: Apache CXF™ is an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS. These services can speak a variety of protocols such as SOAP, XML/HTTP, RESTful HTTP, or CORBA and work over a variety of transports such as HTTP, JMS or JBI.
The Apache CXF team is proud to announce the availability of our latest patch releases! Over 19 JIRA issues were fixed for 4.0.5.
These releases contain fixes for 3 different CVEs:
https://cxf.apache.org/security-advisories.data/CVE-2024-29736.txt
https://cxf.apache.org/security-advisories.data/CVE-2024-32007.txt
https://cxf.apache.org/security-advisories.data/CVE-2024-41172.txt
The bump is from version 3.5.8 to 3.5.9 because of this CVE.
Related artifact: component-runtime/pom.xml, component-server-parent/component-server
Coverage information
As It is only use for component-server-parent/component-server, api test campaign and connectors build check should cover most of the risk during cxf bump