Hi. We use Aikido Security to scan our code for issues, and it is telling us to upgrade Apache CXF from 3.5.5 to 3.5.8 due to
"A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted."
However, I noticed that we do not have this dependency directly, and we get Apache CXF 3.5.5 via Oxalis 6.4.
aaron-kumar
commented
5 months ago
Hi. We use Aikido Security to scan our code for issues, and it is telling us to upgrade Apache CXF from 3.5.5 to 3.5.8 due to
"A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted."
However, I noticed that we do not have this dependency directly, and we get Apache CXF 3.5.5 via Oxalis 6.4.
Is this something that you can fix on your end?
Thanks in advance, Stefan.