CVE-2022-46363

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-46363
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46363.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-46363
Aliases
Downstream
Published
2022-12-13T15:15:11.677Z
Modified
2026-02-05T21:43:21.946598Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type
GIT
Repo
https://github.com/apache/cxf
Events
Fixed
c1cb4f5ffa1ec63e577644659c5957a3c1e94255
Introduced
f93a0cea91c19c41338d96899a69bb66c463e9ff
Fixed
dc4477f563acddc522018d9ef817304096b57a70

Affected versions

cxf-3.*
cxf-3.5.0
cxf-3.5.1
cxf-3.5.2
cxf-3.5.3
cxf-3.5.4

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46363.json"