CVE-2022-46363

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

References

https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type

GIT

Repo

https://github.com/apache/cxf

Events

Introduced

Fixed

c1cb4f5ffa1ec63e577644659c5957a3c1e94255

Introduced

f93a0cea91c19c41338d96899a69bb66c463e9ff

Fixed

dc4477f563acddc522018d9ef817304096b57a70

Database specific

{
    "cpe": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.4.10"
        },
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.5"
        }
    ],
    "source": "CPE_FIELD"
}

Affected versions

cxf-2.*

cxf-2.1

cxf-2.1.2

cxf-2.2

cxf-2.2.1

cxf-2.2.2

cxf-2.3.0

cxf-2.4.0

cxf-2.5.0

cxf-2.5.1

cxf-2.6.0

cxf-2.6.1

cxf-2.7.0

cxf-2.7.1

cxf-2.7.2

cxf-3.*

cxf-3.0.0

cxf-3.0.0-milestone2

cxf-3.1.0

cxf-3.1.1

cxf-3.1.2

cxf-3.1.3

cxf-3.1.4

cxf-3.2.0

cxf-3.2.1

cxf-3.2.2

cxf-3.2.3

cxf-3.2.4

cxf-3.2.5

cxf-3.3.0

cxf-3.3.1

cxf-3.3.2

cxf-3.3.3

cxf-3.4.0

cxf-3.4.1

cxf-3.4.2

cxf-3.4.3

cxf-3.4.4

cxf-3.4.5

cxf-3.4.6

cxf-3.4.7

cxf-3.4.8

cxf-3.4.9

cxf-3.5.0

cxf-3.5.1

cxf-3.5.2

cxf-3.5.3

cxf-3.5.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-46363.json"