[GHSA-ghvc-7hp8-2g2v] There is no restriction on the amount of attachment...

advisories/unreviewed/2026/06/GHSA-ghvc-7hp8-2g2v/GHSA-ghvc-7hp8-2g2v.json

@@ -1,19 +1,59 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-ghvc-7hp8-2g2v",
-  "modified": "2026-06-12T15:30:34Z",
+  "modified": "2026-06-12T15:31:39Z",
   "published": "2026-06-12T12:31:34Z",
   "aliases": [
     "CVE-2026-50645"
   ],
+  "summary": "Apache cxf-core: No restriction on attachment headers per message",
   "details": "There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can lead to uncontrolled resource consumption or a denial of service attack. Users are recommended to upgrade to versions 4.2.2 or 4.1.7, which fix this issue by imposing a maximum default of 500 attachments per message.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.cxf:cxf-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.2.0"
+            },
+            {
+              "fixed": "4.2.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.cxf:cxf-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.1.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",