docker-minecraft-server icon indicating copy to clipboard operation
docker-minecraft-server copied to clipboard
verified publisher icon itzg

Apache CXF - Improper Input Validation Vulnerability

Open JannisDev opened this issue 2 months ago • 3 comments

Hey there,

I've identified an open vulnerability in the image:

  • Description: If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue.
  • Solution: Update to the latest version of the library. Vendor has provided fix in versions 3.6.8, 4.0.9, 4.1.3.
  • Findings: /usr/share/mc-image-helper-1.48.11/lib/cxf-core-3.5.11.jar
  • References: Apache, CVE-2025-48913

Please consider updating the affected library in the next release.

JannisDev avatar Oct 29 '25 15:10 JannisDev

Thanks but you're referencing an old release, so this is not valid

https://github.com/itzg/mc-image-helper/releases/tag/1.50.2

Since you didn't provide the image tag you tried, be aware deprecated image tags

https://docker-minecraft-server.readthedocs.io/en/latest/versions/java/#deprecated-image-tags

itzg avatar Oct 29 '25 16:10 itzg

Hi,

you're right — the finding was originally reported on an older release, but it’s still present in the latest version. The Apache CXF library version hasn’t changed: /usr/share/mc-image-helper-1.50.2/lib/cxf-core-3.5.11.jar

I’m using the latest tag and pulled the image yesterday.

JannisDev avatar Oct 30 '25 08:10 JannisDev

This issue is stale because it has been open 30 days with no activity. Please add a comment describing the reason to keep this issue open.

github-actions[bot] avatar Nov 30 '25 02:11 github-actions[bot]