CVE-2024-32007: 
Java vulnerability analysis and mitigation

An improper input validation vulnerability was discovered in the p2c parameter of the Apache CXF JOSE code affecting versions before 4.0.5, 3.6.4, and 3.5.9. The vulnerability was disclosed on July 18, 2024, and was assigned CVE-2024-32007. The affected component is the Apache CXF framework's JOSE (Javascript Object Signing and Encryption) implementation (Apache Advisory, NVD).

The vulnerability stems from improper validation of the p2c (password-to-key) parameter in the JOSE implementation. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-20 (Improper Input Validation) and CWE-400 (Uncontrolled Resource Consumption) (NVD).

When successfully exploited, this vulnerability allows an attacker to perform a denial of service (DoS) attack by specifying a large value for the p2c parameter in a token. The attack can affect the availability of the service, though there are no reported impacts on confidentiality or integrity (Apache Advisory).

Users are advised to upgrade to Apache CXF versions 4.0.5, 3.6.4, or 3.5.9 or later, depending on their current version branch. These versions contain the necessary fixes to address the vulnerability (Apache Advisory).