Description

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. 

Remediation

References

https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2

Related Vulnerabilities

CVE-2018-1999035 Vulnerability in maven package com.inedo.buildmaster:inedo-buildmaster

CVE-2022-34196 Vulnerability in maven package io.jenkins.plugins:rest-list-parameter

CVE-2022-34211 Vulnerability in maven package org.jenkins-ci.plugins:vmware-vrealize-orchestrator

CVE-2021-26291 Vulnerability in maven package org.apache.maven:apache-maven

CVE-2012-4458 Vulnerability in maven package org.apache.qpid:qpid-common

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory NVD-CWE-noinfo