{ "threat_severity" : "Moderate", "public_date" : "2022-12-13T00:00:00Z", "bugzilla" : { "description" : "CXF: directory listing / code exfiltration", "id" : "2155681", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.", "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured." ], "affected_release" : [ { "product_name" : "Red Hat Fuse 7.11.1.P1", "release_date" : "2023-01-26T00:00:00Z", "advisory" : "RHSA-2023:0483", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "CXF" }, { "product_name" : "Red Hat Fuse 7.12", "release_date" : "2023-06-29T00:00:00Z", "advisory" : "RHSA-2023:3954", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-01-31T00:00:00Z", "advisory" : "RHSA-2023:0556", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "CXF" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-apache-cxf-0:3.1.16-4.redhat_00003.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-hal-console-0:3.2.17-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-annotations-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-core-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-databind-0:2.10.4-4.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-jaxrs-providers-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-base-0:2.10.4-4.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jettison-0:1.5.2-2.redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-netty-0:4.1.63-4.Final_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-wildfly-0:7.3.12-3.GA_redhat_00002.1.el7eap" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1049", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package" : "CXF" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1043", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1044", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1045", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1047", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-20" }, { "product_name" : "RHINT Camel-K-1.10.1", "release_date" : "2023-06-28T00:00:00Z", "advisory" : "RHSA-2023:3906", "cpe" : "cpe:/a:redhat:camel_k:1", "package" : "CXF" }, { "product_name" : "RHINT Camel-Springboot 3.14.5.P1", "release_date" : "2023-01-30T00:00:00Z", "advisory" : "RHSA-2023:0544", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.14.5", "package" : "CXF" }, { "product_name" : "RHINT Camel-Springboot 3.18.3.P2", "release_date" : "2023-06-15T00:00:00Z", "advisory" : "RHSA-2023:3641", "cpe" : "cpe:/a:redhat:camel_spring_boot:3.18" }, { "product_name" : "RHPAM 7.13.1 async", "release_date" : "2023-05-04T00:00:00Z", "advisory" : "RHSA-2023:2135", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Migration Toolkit for Applications 6", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_applications:6" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Will not fix", "package_name" : "org.apache.cxf-cxf-api", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Migration Toolkit for Runtimes", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Not affected", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:quarkus:2" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Out of support scope", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "apache-cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "apache-cxf-xjc-utils", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jbossas-modules-eap", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jboss-on", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jbossws-cxf", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_2-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_3-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_4-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "keycloak-adapter-sso7_5-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "org.osgi.core-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "org.osgi.enterprise-eap6", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "CXF", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-46363\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-46363\nhttps://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" ], "name" : "CVE-2022-46363", "csaw" : false }