Information disclosure in Apache CXF

#VU70443 Information disclosure in Apache CXF

Published: 2022-12-20

Vulnerability identifier: #VU70443

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-46363

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache CXF
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. A remote attacker can gain list directories on the system or exfiltrate code.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache CXF: 3.4.0 - 3.5.4

External links
http://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Sterling B2B Integrator

Multiple vulnerabilities in IBM Security Guardium

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in IBM Data Risk Manager

Information disclosure in IBM Intelligent Operations Center

Multiple vulnerabilities in Red Hat Integration Camel K

Multiple vulnerabilities in Red Hat Integration Camel for Spring Boot

Multiple vulnerabilities in IBM ECM Content Management Interoperability Services (CMIS)

Information disclosure in IBM Tivoli Business Service Manager

Information disclosure in IBM Sterling Global Mailbox