A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
User Interaction None
No CVSS v3.0
No CVSS v2
This CVE is not in the KEV list.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Apache |
|
Redhat |
|
Package | CPE | Advisory | Released Date |
---|---|---|---|
EAP 7.4 async | |||
CXF | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2023:0164 | 2023-01-12T00:00:00Z |
Migration Toolkit for Runtimes 1 on RHEL 8 | |||
org.keycloak-keycloak-parent | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2023:1285 | 2023-03-16T00:00:00Z |
mtr/mtr-web-container-rhel8:1.0-22 | cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8 | RHSA-2023:1286 | 2023-03-16T00:00:00Z |
MTA-6.1-RHEL-8 | |||
mta/mta-windup-addon-rhel8:6.1.0-11 | cpe:/a:redhat:migration_toolkit_applications:6.1::el8 | RHSA-2023:2041 | 2023-04-27T00:00:00Z |
Red Hat Fuse 7.11.1.P1 | |||
CXF | cpe:/a:redhat:jboss_fuse:7 | RHSA-2023:0483 | 2023-01-26T00:00:00Z |
Red Hat Fuse 7.12 | |||
cpe:/a:redhat:jboss_fuse:7 | RHSA-2023:3954 | 2023-06-29T00:00:00Z | |
Red Hat JBoss Enterprise Application Platform 7 | |||
CXF | cpe:/a:redhat:jboss_enterprise_application_platform:7.4 | RHSA-2023:0556 | 2023-01-31T00:00:00Z |
eap7-apache-sshd | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-elytron-web | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-hal-console | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-hibernate-search | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-ironjacamar | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-annotations | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-jaxrs-providers | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-base | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-java8 | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-javaee-security-soteria | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-ejb-client | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-jsp-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-remoting | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jboss-server-migration | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-jettison | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-undertow | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-wildfly | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-wildfly-elytron | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-woodstox-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0552 | 2023-01-31T00:00:00Z |
eap7-apache-sshd | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-elytron-web | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-hal-console | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-hibernate-search | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-ironjacamar | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-annotations | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-jaxrs-providers | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-base | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-java8 | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-javaee-security-soteria | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-ejb-client | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-jsp-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-remoting | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jboss-server-migration | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-jettison | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-undertow | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-wildfly | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-wildfly-elytron | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-woodstox-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0553 | 2023-01-31T00:00:00Z |
eap7-apache-sshd | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-elytron-web | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-hal-console | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-hibernate-search | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-ironjacamar | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-annotations | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-databind | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-jaxrs-providers | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-base | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jackson-modules-java8 | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-javaee-security-soteria | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-ejb-client | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-jsf-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-jsp-api_2.3_spec | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-remoting | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jboss-server-migration | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-jettison | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-undertow | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-wildfly | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-wildfly-elytron | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
eap7-woodstox-core | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0554 | 2023-01-31T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 | |||
eap7-apache-cxf-0:3.1.16-3.SP1_redhat_00001.1.ep7.el7 | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 | RHSA-2024:10208 | 2024-11-25T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 | |||
eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 | RHSA-2024:10207 | 2024-11-25T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | |||
eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 | RHSA-2023:0163 | 2023-01-12T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 | |||
eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el9eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9 | RHSA-2023:0163 | 2023-01-12T00:00:00Z |
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | |||
eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 | RHSA-2023:0163 | 2023-01-12T00:00:00Z |
Red Hat Single Sign-On 7 | |||
cpe:/a:redhat:red_hat_single_sign_on:7.6 | RHSA-2023:1049 | 2023-03-01T00:00:00Z | |
Red Hat Single Sign-On 7.6 for RHEL 7 | |||
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el7 | RHSA-2023:1043 | 2023-03-01T00:00:00Z |
Red Hat Single Sign-On 7.6 for RHEL 8 | |||
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el8 | RHSA-2023:1044 | 2023-03-01T00:00:00Z |
Red Hat Single Sign-On 7.6 for RHEL 9 | |||
rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso | cpe:/a:redhat:red_hat_single_sign_on:7.6::el9 | RHSA-2023:1045 | 2023-03-01T00:00:00Z |
RHEL-8 based Middleware Containers | |||
rh-sso-7/sso76-openshift-rhel8:7.6-20 | cpe:/a:redhat:rhosemc:1.0::el8 | RHSA-2023:1047 | 2023-03-01T00:00:00Z |
RHINT Camel-Springboot 3.14.5.P1 | |||
CXF | cpe:/a:redhat:camel_spring_boot:3.14.5 | RHSA-2023:0544 | 2023-01-30T00:00:00Z |
RHINT Camel-Springboot 3.18.3.P2 | |||
cpe:/a:redhat:camel_spring_boot:3.18 | RHSA-2023:3641 | 2023-06-15T00:00:00Z | |
RHPAM 7.13.1 async | |||
CXF | cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13 | RHSA-2023:2135 | 2023-05-04T00:00:00Z |
References
History
Mon, 25 Nov 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat jboss Enterprise Application Platform Eus
|
|
CPEs | cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7 cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7 |
|
Vendors & Products |
Redhat jboss Enterprise Application Platform Eus
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2022-12-13T16:20:26.765Z
Updated: 2024-08-03T14:31:46.249Z
Reserved: 2022-12-02T08:07:46.894Z
Link: CVE-2022-46364
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-12-13T17:15:17.587
Modified: 2024-11-21T07:30:28.037
Link: CVE-2022-46364
Redhat