CVE-2022-46363

EPSS 0.07%
Published 13.12.2022 15:15:11
Last modified 22.04.2025 03:15:20
Source security@apache.org
Teams watchlist Login
Open Login

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Cxf Version < 3.4.10

Apache ≫ Cxf Version >= 3.5.0 < 3.5.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.07%	0.23

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-46363

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-46363

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-46363

EUVD