CVE-2022-46363

Опубликовано: 13 дек. 2022

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.

Затронутые пакеты

Платформа	Пакет	Состояние
Logging Subsystem for Red Hat OpenShift	openshift-logging/elasticsearch6-rhel8	Not affected
Migration Toolkit for Applications 6	org.keycloak-keycloak-parent	Not affected
Migration Toolkit for Runtimes	org.apache.cxf-cxf-api	Will not fix
Migration Toolkit for Runtimes	org.keycloak-keycloak-parent	Not affected
Red Hat build of Quarkus	CXF	Not affected
Red Hat Data Grid 8	CXF	Not affected
Red Hat Decision Manager 7	CXF	Out of support scope
Red Hat Integration Camel Quarkus 1	CXF	Not affected
Red Hat JBoss Data Grid 7	CXF	Out of support scope
Red Hat JBoss Data Virtualization 6	CXF	Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=2155681CXF: directory listing / code exfiltration

EPSS

Процентиль: 25%

0.00089

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2022-46363

CVSS3: 7.5

nvd

около 3 лет назад

GHSA-3w37-5p3p-jv92

CVSS3: 7.5

github

около 3 лет назад

Apache CXF vulnerable to Exposure of Sensitive Information

EPSS

Процентиль: 25%

0.00089

Низкий

7.5 High

CVSS3