AI description
Automated description summarized from trusted sources.
CVE-2022-46364 is identified as a Server-Side Request Forgery (SSRF) vulnerability affecting Apache CXF, an open-source services framework. This flaw specifically occurs during the parsing of the `href` attribute within `XOP:Include` elements, which are part of Message Transmission Optimization Mechanism (MTOM) requests. The improper handling of these URI references allows an attacker to craft specific MTOM requests, enabling them to perform SSRF-style attacks on web services. These attacks are possible against services that accept at least one parameter of any type, and the vulnerability can be exploited remotely without requiring authentication.
- Description
- A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
- Source
- security@apache.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-918
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17B5E32D-A436-4C79-BEE9-6A2DB162DC66",
"versionEndExcluding": "3.4.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "11EC4474-4CB6-47CD-9E3D-A998A3C7226C",
"versionEndExcluding": "3.5.5",
"versionStartIncluding": "3.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]