Apache CXF 2.0.x prior to 2.0.13, 2.1.x prior to 2.1.10, and 2.2.x prior to 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote malicious users ...