Описание
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
Отчет
Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate. The RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Not affected | ||
| Red Hat build of Quarkus | CXF | Affected | ||
| Red Hat Data Grid 8 | CXF | Affected | ||
| Red Hat Integration Camel K 1 | CXF | Not affected | ||
| Red Hat Integration Camel Quarkus 1 | CXF | Not affected | ||
| Red Hat JBoss Data Grid 7 | CXF | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | CXF | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | apache-cxf | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | apache-cxf-xjc-utils | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | CXF | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
Apache CXF Server-Side Request Forgery vulnerability
EPSS
9.8 Critical
CVSS3