Vulnerabilities reported for Apache CXF before 3.3.4 and 3.2.11 

Issue date: 15-01-2020
Affects versions: 13.4, 13.3, 12.5, 11.2

Issue ID



Affected Product Version(s)

13.4.0, 12.6.7, 11.2.16 (and previous patch releases)




Apache CXF reported vulnerability CVE-2019-12406 in versions before 3.3.4 and 3.2.11

Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".

Apache CXF has been updated to version 3.3.4.


Every customer is advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.