CVE-2018-8039
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2018-8039
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache CXF 安全特征问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache CXF是美国阿帕奇(Apache)基金会的一个开源的Web服务框架。该框架支持多种Web服务标准、多种前端编程API等。 Apache CXF 3.1.16之前版本和3.2.0版本至3.2.5版本(不包括3.2.5版本)中存在安全特征问题漏洞。该漏洞是源于网络系统或产品中缺少身份验证、访问控制、权限管理等安全措施。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache CXF | prior to 3.1.16 | - |
II. Public POCs for CVE-2018-8039
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/tafamace/CVE-2018-8039 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2018-8039
请登录查看更多情报信息。
Patches & Fixes for CVE-2018-8039 (1)
Vendor Advisories for CVE-2018-8039 (15)
- https://www.oracle.com/security-alerts/cpuapr2020.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpujan2020.htmlx_refsource_MISC
Mailing List Discussions for CVE-2018-8039 (7)
Other References for CVE-2018-8039 (1)
IV. Related Vulnerabilities
Same product: Apache CXF
- CVE-2026-44417
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS - CVE-2026-44618
Apache CXF: XXE vulnerability in WS-Transfer functionality - CVE-2026-44930
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Reposi - CVE-2025-48913
Apache CXF: Untrusted JMS configuration can lead to RCE - CVE-2025-48795
Apache CXF: Denial of Service and sensitive data exposure in
Same vendor: Apache Software Foundation
- CVE-2026-42797
Apache Syncope: JexlContextBuilder Information Disclosure - CVE-2026-42782
Apache Syncope: Post-auth RCE via Groovy static - CVE-2026-46745
Apache Airflow FAB provider: LDAP Filter Injection in FAB Au - CVE-2026-45361
Apache Airflow Google provider: SSH host key verification di - CVE-2026-45249
Apache ECharts: XSS in Lines series tooltip rendering
V. Comments for CVE-2018-8039
No comments yet