CVE-2022-46364

CWE-918 — Server-Side Request Forgery (SSRF)8 documents6 sources

Severity

9.8CRITICAL

EPSS

0.1%

top 66.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache CXF Apache CXF

Timeline

PublishedDec 13

Latest updateApr 15

Description

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/cxf3.5.0 — 3.5.5+1

▶Mavenorg.apache.cxf:cxf-core3.5.0 — 3.5.5+1

▶CVEListV5apache_software_foundation/apache_cxf< 3.5.5+1

🔴Vulnerability Details

CVEList

Apache CXF SSRF Vulnerability↗2022-12-13

▶

GHSA

Apache CXF Server-Side Request Forgery vulnerability↗2022-12-13

▶

OSV

Apache CXF Server-Side Request Forgery vulnerability↗2022-12-13

▶

📋Vendor Advisories

Oracle

Oracle Oracle Commerce Risk Matrix: Endeca Integration (Apache CXF) — CVE-2022-46364↗2024-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Messaging Store (Apache CXF) — CVE-2022-46364↗2023-07-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Virtual Network Function Manager (Apache CXF) — CVE-2022-46364↗2023-04-15

▶

Red Hat

CXF: SSRF Vulnerability↗2022-12-13

▶