A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
User Interaction None
No CVSS v3.0
No CVSS v2
This CVE is not in the KEV list.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Apache |
|
Redhat |
|
Package | CPE | Advisory | Released Date |
---|---|---|---|
EAP 7.4 async | |||
CXF | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2023:0164 | 2023-01-12T00:00:00Z |
Migration Toolkit for Runtimes 1 on RHEL 8 | |||
org.keycloak-keycloak-parent | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2023:1285 | 2023-03-16T00:00:00Z |
mtr/mtr-web-container-rhel8:1.0-22 | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2023:1286 | 2023-03-16T00:00:00Z |
MTA-6.1-RHEL-8 | |||
mta/mta-windup-addon-rhel8:6.1.0-11 | cpe:/a:redhat:migration_toolkit_applications:6.1::el8 | RHSA-2023:2041 | 2023-04-27T00:00:00Z |
Red Hat Fuse 7.11.1.P1 | |||
CXF | cpe:/a:redhat:jboss_fuse:7 | RHSA-2023:0483 | 2023-01-26T00:00:00Z |
Red Hat Fuse 7.12 | |||
cpe:/a:redhat:jboss_fuse:7 | RHSA-2023:3954 | 2023-06-29T00:00:00Z | |
Red Hat JBoss Enterprise Application Platform 7 | |||
CXF | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2023:0556 | 2023-01-31T00:00:00Z |
eap7-apache-sshd | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-elytron-web | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-hal-console | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-hibernate-search | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-ironjacamar | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-annotations | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-jaxrs-providers | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-base | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-java8 | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-javaee-security-soteria | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-ejb-client | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-jsp-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-remoting | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-server-migration | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jettison | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-undertow | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-wildfly | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-wildfly-elytron | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-woodstox-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-apache-sshd | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-elytron-web | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-hal-console | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-hibernate-search | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-ironjacamar | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-annotations | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-jaxrs-providers | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-base | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-java8 | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-javaee-security-soteria | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-ejb-client | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-jsp-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-remoting | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-server-migration | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jettison | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-undertow | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-wildfly | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-wildfly-elytron | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-woodstox-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-apache-sshd | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-elytron-web | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-hal-console | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-hibernate-search | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-ironjacamar | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-annotations | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-jaxrs-providers | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-base | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-java8 | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-javaee-security-soteria | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-ejb-client | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-jsp-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-remoting | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-server-migration | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jettison | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-undertow | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-wildfly | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-wildfly-elytron | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-woodstox-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | |||
eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0163 | 2023-01-12T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | |||
eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el9eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0163 | 2023-01-12T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | |||
eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0163 | 2023-01-12T00:00:00Z |
Red Hat Single Sign-On 7 | |||
cpe:/a:redhat:red_hat_single_sign_on:7.6 | RHSA-2023:1049 | 2023-03-01T00:00:00Z | |
Red Hat Single Sign-On 7.6 for RHEL 7 | |||
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 | RHSA-2023:1043 | 2023-03-01T00:00:00Z |
Red Hat Single Sign-On 7.6 for RHEL 8 | |||
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 | RHSA-2023:1044 | 2023-03-01T00:00:00Z |
Red Hat Single Sign-On 7.6 for RHEL 9 | |||
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 | RHSA-2023:1045 | 2023-03-01T00:00:00Z |
RHEL-8 based Middleware Containers | |||
rh-sso-7/sso76-openshift-rhel8:7.6-20 | cpe:/a:redhat:rhosemc:1.0::el8 | RHSA-2023:1047 | 2023-03-01T00:00:00Z |
RHINT Camel-Springboot 3.14.5.P1 | |||
CXF | cpe:/a:redhat:camel_spring_boot:3.14.5 | RHSA-2023:0544 | 2023-01-30T00:00:00Z |
RHINT Camel-Springboot 3.18.3.P2 | |||
cpe:/a:redhat:camel_spring_boot:3.18 | RHSA-2023:3641 | 2023-06-15T00:00:00Z | |
RHPAM 7.13.1 async | |||
CXF | cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13 | RHSA-2023:2135 | 2023-05-04T00:00:00Z |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2022-12-13T16:20:26.765Z
Updated: 2024-08-03T14:31:46.249Z
Reserved: 2022-12-02T08:07:46.894Z
Link: CVE-2022-46364
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-12-13T17:15:17.587
Modified: 2023-11-07T03:55:35.660
Link: CVE-2022-46364
Redhat