CVE-2022-46363

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.4.10 Apache CXF versions prior to 3.5.5

Description A vulnerability in Apache CXF allows an attacker to perform a remote directory listing or code exfiltration. This issue arises when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes, which are not intended to be used together. The vulnerability can only occur if the CXF service is misconfigured.

Recommendations For versions prior to 3.4.10, update to version 3.4.10 or later to resolve the issue. For versions prior to 3.5.5, update to version 3.5.5 or later to resolve the issue. As a temporary workaround, consider removing or correcting the misconfiguration of the CXFServlet by ensuring that the static-resources-list and redirect-query-check attributes are not used together.

Fix

RCE

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-200

Related Identifiers

CVE-2022-46363

GHSA-3W37-5P3P-JV92

RHSA-2023:1043

RHSA-2023:1044

RHSA-2023:1045

RHSA-2025:1746

RHSA-2025:1747

Affected Products

Apache Cxf

CVE-2022-46363

Weakness Enumeration

Related Identifiers

Affected Products

References · 7