Описание
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.
A Server-side request forgery (SSRF) vulnerability was found in Apache CXF in the WADL service description. The flaw allows an attacker to perform SSRF-style attacks on REST web services. The attack only applies if a custom stylesheet parameter is configured.
Отчет
This SSRF vulnerability in Apache CXF's WADL service description is of significant severity because it allows an attacker to manipulate server-side requests, potentially leading to unauthorized access to internal resources. By exploiting this flaw, an attacker can craft malicious requests that bypass traditional security controls, enabling the server to communicate with internal systems, which may include databases, cloud services, or other sensitive infrastructure.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | org.apache.cxf/cxf-rt-rs-service-description | Affected | ||
| Red Hat Integration Camel K 1 | org.apache.cxf/cxf-rt-rs-service-description | Will not fix | ||
| Red Hat JBoss Data Grid 7 | org.apache.cxf/cxf-rt-rs-service-description | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 7 | cxf-rt-rs-service-description | Affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | cxf-rt-rs-service-description | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | cxf-rt-rs-service-description | Not affected | ||
| Red Hat build of Apache Camel 3.20.7 for Spring Boot | Fixed | RHSA-2024:6883 | 19.09.2024 | |
| Red Hat build of Apache Camel 4.4.0 for Spring Boot | Fixed | RHSA-2024:2707 | 06.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
9.1 Critical
CVSS3
Связанные уязвимости
A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.
Apache CXF: SSRF vulnerability via WADL stylesheet parameter
Уязвимость технологии WADL (Web Application Description Language) каркаса для веб-сервисов Apache CXF, позволяющая нарушителю осуществить SSRF-атаку
EPSS
9.1 Critical
CVSS3