First published: Tue Dec 13 2022(Updated: )
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.apache.cxf:cxf-core | >=3.5.0<3.5.5 | 3.5.5 |
maven/org.apache.cxf:cxf-core | <3.4.10 | 3.4.10 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
IBM Security Verify Governance | <=10.0 | |
Apache CXF | <3.4.10 | |
Apache CXF | >=3.5.0<3.5.5 | |
redhat/Apache CXF | <3.5.5 | 3.5.5 |
redhat/Apache CXF | <3.4.10 | 3.4.10 |
<3.4.10 | ||
>=3.5.0<3.5.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID for this Apache CXF vulnerability is CVE-2022-46363.
CVE-2022-46363 has a severity level of 7.5 (high).
CVE-2022-46363 affects Apache CXF by allowing a remote attacker to obtain sensitive information through a flaw in the CXFServlet configuration.
Apache CXF versions 3.5.0 up to and including 3.5.5, as well as versions 3.4.10 and earlier, are affected by CVE-2022-46363.
To fix CVE-2022-46363 in Apache CXF, update to version 3.5.5 or apply the recommended patches provided by the vendor.