Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The Apache CXF team is proud to announce the availability of our latest patch releases!  Over 30 JIRA issues were fixed for 3.3.5, many back ported to 3.2.12.This is mostly a patch release to fix problems and issues that users have encountered.   Downloads

These releases contain fixes for two new security advisories:

  • CVE-2019-17573: Apache CXF Reflected XSS in the services listing page
  • CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore

Downloads are available here.

October 28, 2019 - Apache CXF 3.3.4 and 3.2.11 released!