CVE-2022-46364

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.5.5 Apache CXF versions prior to 3.4.10

Description A Server-Side Request Forgery (SSRF) issue exists in the parsing of the href attribute of XOP:Include in MTOM requests. This allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

Recommendations For versions prior to 3.5.5, update to version 3.5.5 or later. For versions prior to 3.4.10, update to version 3.4.10 or later. As a temporary workaround, consider restricting access to the XOP:Include element in MTOM requests until a patch is available.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2022-46364

GHSA-X3X3-QWJQ-8GJ4

RHSA-2023:0163

RHSA-2023:0552

RHSA-2023:0553

RHSA-2023:0554

RHSA-2023:1043

RHSA-2023:1044

RHSA-2023:1045

RHSA-2024:10207

RHSA-2024:10208

Affected Products

Apache Cxf

CVE-2022-46364

Weakness Enumeration

Related Identifiers

Affected Products

References · 6