{"id":"CVE-2019-12406","details":"Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property \"attachment-max-count\".","aliases":["GHSA-58p8-9g59-q2hr"],"modified":"2026-04-02T01:35:56.790855Z","published":"2019-11-06T21:15:11.180Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r92238967ba2783d3ab5a483f2e17f5fdaa8ace98990f69f9e8e15de0%40%3Cissues.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rabc395b38acb7f2465bfbf0bc16d6e1e95720c89bea87abe8808eeea%40%3Cissues.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb2a6dab1f781f55326543c56dc29ea677759439ddfeba920c83037e6%40%3Cissues.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rca465c9d1e1969281338522b76701c85a07abd045c494261137236e0%40%3Cissues.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"},{"type":"ADVISORY","url":"http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cxf","events":[{"introduced":"0"},{"fixed":"da2d27d97f9e9abd7d307e2224e5e0338b767ee2"},{"introduced":"8f90e00177d464541e99ed61238cbc52cff0846d"},{"fixed":"fbd2dbf5fecbac7343b9fe442a10e75cfb9f7471"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.2.11"},{"introduced":"3.3.0"},{"fixed":"3.3.4"}]}}],"versions":["cxf-2.1","cxf-2.1.1","cxf-2.1.10","cxf-2.1.2","cxf-2.1.3","cxf-2.1.4","cxf-2.1.5","cxf-2.1.6","cxf-2.1.7","cxf-2.1.8","cxf-2.1.9","cxf-2.2","cxf-2.2.1","cxf-2.2.10","cxf-2.2.11","cxf-2.2.12","cxf-2.2.2","cxf-2.2.3","cxf-2.2.4","cxf-2.2.5","cxf-2.2.6","cxf-2.2.7","cxf-2.2.8","cxf-2.2.9","cxf-2.3.0","cxf-2.3.1","cxf-2.3.10","cxf-2.3.11","cxf-2.3.2","cxf-2.3.3","cxf-2.3.4","cxf-2.3.5","cxf-2.3.6","cxf-2.3.7","cxf-2.3.8","cxf-2.3.9","cxf-2.4.0","cxf-2.4.1","cxf-2.4.10","cxf-2.4.2","cxf-2.4.3","cxf-2.4.4","cxf-2.4.5","cxf-2.4.6","cxf-2.4.7","cxf-2.4.8","cxf-2.4.9","cxf-2.5.0","cxf-2.5.1","cxf-2.5.10","cxf-2.5.11","cxf-2.5.2","cxf-2.5.3","cxf-2.5.4","cxf-2.5.5","cxf-2.5.6","cxf-2.5.7","cxf-2.5.8","cxf-2.5.9","cxf-2.6.0","cxf-2.6.1","cxf-2.6.10","cxf-2.6.11","cxf-2.6.12","cxf-2.6.13","cxf-2.6.14","cxf-2.6.15","cxf-2.6.16","cxf-2.6.17","cxf-2.6.2","cxf-2.6.3","cxf-2.6.4","cxf-2.6.5","cxf-2.6.6","cxf-2.6.7","cxf-2.6.8","cxf-2.6.9","cxf-2.7.0","cxf-2.7.1","cxf-2.7.10","cxf-2.7.11","cxf-2.7.12","cxf-2.7.13","cxf-2.7.14","cxf-2.7.15","cxf-2.7.16","cxf-2.7.17","cxf-2.7.18","cxf-2.7.2","cxf-2.7.3","cxf-2.7.4","cxf-2.7.5","cxf-2.7.6","cxf-2.7.7","cxf-2.7.8","cxf-2.7.9","cxf-3.0.0","cxf-3.0.0-milestone1","cxf-3.0.0-milestone2","cxf-3.0.1","cxf-3.0.10","cxf-3.0.11","cxf-3.0.12","cxf-3.0.13","cxf-3.0.14","cxf-3.0.15","cxf-3.0.16","cxf-3.0.2","cxf-3.0.3","cxf-3.0.4","cxf-3.0.5","cxf-3.0.6","cxf-3.0.7","cxf-3.0.8","cxf-3.0.9","cxf-3.1.0","cxf-3.1.1","cxf-3.1.10","cxf-3.1.11","cxf-3.1.12","cxf-3.1.13","cxf-3.1.14","cxf-3.1.15","cxf-3.1.16","cxf-3.1.17","cxf-3.1.18","cxf-3.1.2","cxf-3.1.3","cxf-3.1.4","cxf-3.1.5","cxf-3.1.6","cxf-3.1.7","cxf-3.1.8","cxf-3.1.9","cxf-3.2.0","cxf-3.2.1","cxf-3.2.10","cxf-3.2.2","cxf-3.2.3","cxf-3.2.4","cxf-3.2.5","cxf-3.2.6","cxf-3.2.7","cxf-3.2.8","cxf-3.2.9","cxf-3.3.0","cxf-3.3.1","cxf-3.3.2","cxf-3.3.3","cxf-3.4.0","cxf-3.4.1","cxf-3.4.10","cxf-3.4.2","cxf-3.4.3","cxf-3.4.4","cxf-3.4.5","cxf-3.4.6","cxf-3.4.7","cxf-3.4.8","cxf-3.4.9","cxf-3.5.0","cxf-3.5.1","cxf-3.5.10","cxf-3.5.11","cxf-3.5.2","cxf-3.5.3","cxf-3.5.4","cxf-3.5.5","cxf-3.5.6","cxf-3.5.7","cxf-3.5.8","cxf-3.5.9","cxf-3.6.0","cxf-3.6.1","cxf-3.6.10","cxf-3.6.2","cxf-3.6.3","cxf-3.6.4","cxf-3.6.5","cxf-3.6.6","cxf-3.6.7","cxf-3.6.8","cxf-3.6.9","cxf-4.0.0","cxf-4.0.1","cxf-4.0.10","cxf-4.0.11","cxf-4.0.2","cxf-4.0.3","cxf-4.0.4","cxf-4.0.5","cxf-4.0.6","cxf-4.0.7","cxf-4.0.8","cxf-4.0.9","cxf-4.1.0","cxf-4.1.1","cxf-4.1.2","cxf-4.1.3","cxf-4.1.4","cxf-4.1.5","cxf-4.2.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12406.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}