CVE-2022-46364

Aliases:GHSA-x3x3-qwjq-8gj4

Advisory lineage Upstream: 0 Downstream: 9

Downstream

RHSA-2023:0163 RHSA-2023:0552 RHSA-2023:0553 RHSA-2023:0554 RHSA-2023:1043 RHSA-2023:1044

Modified

Published: 13 Dec 2022, 16:20

Last modified:22 Apr 2025, 02:48

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (cve.org)

EPSS Score

0.1% LOW

0% probability -0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

13 Dec 2022, 16:20

Published

Vulnerability first disclosed

22 Apr 2025, 02:48

Last Modified

Vulnerability information updated

Description

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.10%• Percentile: 28%

Techniques & Countermeasures

CWE-918•Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Systems

apache software foundation•apache cxf
< 3.5.5 | < 3.4.10
apache•cxf
< 3.4.10 | ≥ 3.5.0, < 3.5.5
org.apache.cxf•cxf-core
< 3.4.10 | ≥ 3.5.0, < 3.5.5