vulnerability
IBM WebSphere Application Server: CVE-2019-12406: Vulnerability in Apache CXF affects WebSphere Application Server
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Nov 6, 2019 | Feb 18, 2020 | Aug 11, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Published
Nov 6, 2019
Added
Feb 18, 2020
Modified
Aug 11, 2025
Description
Apache CXF before 3.3.4 and 3.2.11 does not restrict the number of message attachments present in a given message. This leaves open the possibility of a denial of service type attack, where a malicious user crafts a message containing a very large number of message attachments. From the 3.3.4 and 3.2.11 releases, a default limit of 50 message attachments is enforced. This is configurable via the message property "attachment-max-count".
Solutions
ibm-was-install-17-0-0-3-ph19989-libertyibm-was-install-9-0-ph19989ibm-was-upgrade-17-0-0-3-20-0-0-2-libertyibm-was-upgrade-9-0-9-0-5-3
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.