AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2017-12624: Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to

infovulnerability

security

Source: NVD/CVE DatabaseNovember 14, 2017CVE-2017-12624

Summary

Apache CXF (a framework for building web services) has a vulnerability where specially crafted message attachment headers can crash or disable a web service through a DoS attack (denial of service, temporarily making a service unavailable). This affects both JAX-WS and JAX-RS (two different specifications for web services) that use CXF.

Solution / Mitigation

From Apache CXF version 3.2.1 and 3.1.14 onwards, message attachment headers larger than 300 characters are rejected by default. This limit can be adjusted using the configuration property 'attachment-max-header-size'.

Vulnerability Details

CVSS Score

4.3

EPSS (30-day exploit probability)

EPSS: 3.6%

Classification

Attack SophisticationTrivial

Impact (CIA+S)

availability

Original source: https://nvd.nist.gov/vuln/detail/CVE-2017-12624

First tracked: February 15, 2026 at 08:43 PM

Classified by LLM (prompt v3) · confidence: 95%