#VU70443 Information disclosure in Apache CXF - CVE-2022-46363

Cybersecurity Help s.r.o.

Published: 2022-12-20

Vulnerability identifier: #VU70443

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-46363

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache CXF
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. A remote attacker can gain list directories on the system or exfiltrate code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache CXF: 3.4.0 - 3.5.4

External links
https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Multiple vulnerabilities in IBM Security Verify Governance

Multiple vulnerabilities in IBM Sterling B2B Integrator

Multiple vulnerabilities in IBM Security Guardium

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in IBM Data Risk Manager

Information disclosure in IBM Intelligent Operations Center

Multiple vulnerabilities in Fuse 7

Multiple vulnerabilities in Red Hat Integration Camel K