Apache CXF <=3.5.5/3.4.10: CXFServlet misconfig -> Dir Listing & Exfil
CVE-2022-46363 Published on December 13, 2022
Apache CXF directory listing / code exfiltration
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.
Vulnerability Analysis
CVE-2022-46363 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2022-46363
Want to know whenever a new CVE is published for Apache CXF? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache CXF:- Version 3.5 and below 3.5.5 is affected.
- Version 3.4 and below 3.4.10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.