Bug 2155681 (CVE-2022-46363) - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
Summary: CVE-2022-46363 Apache CXF: directory listing / code exfiltration
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-46363
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2153018
TreeView+ depends on / blocked
 
Reported: 2022-12-21 20:49 UTC by Zack Miele
Modified: 2024-01-10 03:19 UTC (History)
68 users (show)

Fixed In Version: Apache CXF 3.5.5, Apache CXF 3.4.10
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.
Clone Of:
Environment:
Last Closed: 2023-02-01 05:26:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0483 0 None None None 2023-01-26 21:55:54 UTC
Red Hat Product Errata RHSA-2023:0544 0 None None None 2023-01-30 17:12:08 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:43:54 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:46:23 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:48:51 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:51:34 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:59:51 UTC
Red Hat Product Errata RHSA-2023:3641 0 None None None 2023-06-15 15:24:10 UTC
Red Hat Product Errata RHSA-2023:3906 0 None None None 2023-06-28 15:59:21 UTC
Red Hat Product Errata RHSA-2023:3954 0 None None None 2023-06-29 20:08:07 UTC

Description Zack Miele 2022-12-21 20:49:29 UTC 
A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c
Comment 4 errata-xmlrpc 2023-01-26 21:55:49 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1.P1

Via RHSA-2023:0483 https://access.redhat.com/errata/RHSA-2023:0483
Comment 5 errata-xmlrpc 2023-01-30 17:12:04 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.14.5.P1

Via RHSA-2023:0544 https://access.redhat.com/errata/RHSA-2023:0544
Comment 6 Product Security DevOps Team 2023-02-01 05:25:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-46363
Comment 7 errata-xmlrpc 2023-03-01 21:43:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 8 errata-xmlrpc 2023-03-01 21:46:18 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 9 errata-xmlrpc 2023-03-01 21:48:46 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 10 errata-xmlrpc 2023-03-01 21:51:29 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 11 errata-xmlrpc 2023-03-01 21:59:46 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Comment 12 errata-xmlrpc 2023-06-15 15:24:05 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P2

Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641
Comment 13 errata-xmlrpc 2023-06-28 15:59:16 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K-1.10.1

Via RHSA-2023:3906 https://access.redhat.com/errata/RHSA-2023:3906
Comment 14 errata-xmlrpc 2023-06-29 20:08:03 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Note You need to log in before you can comment on or make changes to this bug.