Thanat0S

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 3.4.10 Apache CXF versions prior to 3.5.5 **Description** A vulnerability in Apache CXF allows an attacker to perform a remote directory listing or code exfiltration. This issue arises when the CXFServlet is configured with both the `static-resources-list` and `redirect-query-check` attributes, which are not intended to be used together. The vulnerability can only occur if the CXF service is misconfigured. **Recommendations** For versions prior to 3.4.10, update to version 3.4.10 or later to resolve the issue. For versions prior to 3.5.5, update to version 3.5.5 or later to resolve the issue. As a temporary workaround, consider removing or correcting the misconfiguration of the CXFServlet by ensuring that the `static-resources-list` and `redirect-query-check` attributes are not used together.

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 3.5.5 Apache CXF versions prior to 3.4.10 **Description** A Server-Side Request Forgery (SSRF) issue exists in the parsing of the `href` attribute of XOP:Include in MTOM requests. This allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. **Recommendations** For versions prior to 3.5.5, update to version 3.5.5 or later. For versions prior to 3.4.10, update to version 3.4.10 or later. As a temporary workaround, consider restricting access to the `XOP:Include` element in MTOM requests until a patch is available.