Description

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. 

Remediation

References

https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2

Related Vulnerabilities

CVE-2016-3081 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2018-1999034 Vulnerability in maven package com.inedo.proget:inedo-proget

CVE-2023-29205 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rendering-xwiki

CVE-2016-4055 Vulnerability in npm package moment

CVE-2021-21119 Vulnerability in maven package org.webjars.npm:electron

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-noinfo