oss-sec mailing list archives

CVE-2022-46364: Apache CXF SSRF Vulnerability

From: Colm O hEigeartaigh <coheigea () apache org>
Date: Tue, 13 Dec 2022 15:17:08 +0000

CVE-2022-46364: Apache CXF SSRF Vulnerability

Severity: important

Description:

A SSRF vulnerability in parsing the href attribute of XOP:Include in
MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows
an attacker to perform SSRF style attacks on webservices that take at
least one parameter of any type.

Credit:

thanat0s from Beijin Qihoo 360 adlab (finder) (finder)

References:

https://cxf.apache.org/
https://www.cve.org/CVERecord?id=CVE-2022-46364

Current thread:

CVE-2022-46364: Apache CXF SSRF Vulnerability Colm O hEigeartaigh (Dec 13)