CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a request parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the request_uri parameter. CXF was not validating the request_uri parameter (apart from ensuring it uses https) and …
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page.
The streaming XML parser in this package allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of elements, attributes, nested constructs, and possibly other vectors.
This package allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.