CVE-2024-29736: 
Java vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability was discovered in Apache CXF's WADL service description functionality, affecting versions before 4.0.5, 3.6.4, and 3.5.9. The vulnerability was disclosed on July 19, 2024, and allows attackers to perform SSRF-style attacks on REST webservices when a custom stylesheet parameter is configured (Apache Advisory, NVD).

The vulnerability has been assigned CVE-2024-29736 and received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The vulnerability is classified as CWE-918 (Server-Side Request Forgery). The attack vector specifically targets the WADL service description component and requires a custom stylesheet parameter to be configured (NVD).

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information and the potential modification of data. The critical CVSS score of 9.1 indicates severe potential consequences, with high impacts on both confidentiality and integrity (NetApp Advisory).

Organizations are advised to upgrade to Apache CXF versions 4.0.5, 3.6.4, or 3.5.9 or later, depending on their current version track. The vulnerability only affects installations where a custom stylesheet parameter is configured (Apache Advisory).