Miggo Logo

CVE-2022-46363: Apache CXF vulnerable to Exposure of Sensitive Information

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.28272%
Published
12/13/2022
Updated
9/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.cxf:cxf-coremaven< 3.4.103.4.10
org.apache.cxf:cxf-coremaven>= 3.5.0, < 3.5.53.5.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from CXFServlet's request handling logic when both static-resources-list and redirect-query-check are enabled. The handleRequest() method is central to processing HTTP requests and would be responsible for applying these configurations. The combination of these attributes likely bypasses security checks (CWE-20) that normally prevent unauthorized resource access, leading to information exposure (CWE-200). While exact code isn't provided, the CXFServlet's request handling is the logical point where misconfiguration would manifest, aligning with the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in *p**** *X* ***or* v*rsions *.*.* *n* *.*.** *llows *n *tt**k*r to p*r*orm * r*mot* *ir**tory listin* or *o** *x*iltr*tion. T** vuln*r**ility only *ppli*s w**n t** *X*S*rvl*t is *on*i*ur** wit* *ot* t** st*ti*-r*sour**s-list *n* r**

Reasoning

T** vuln*r**ility st*ms *rom `*X*S*rvl*t`'s r*qu*st **n*lin* lo*i* w**n *ot* `st*ti*-r*sour**s-list` *n* `r**ir**t-qu*ry-****k` *r* *n**l**. T** `**n*l*R*qu*st()` m*t*o* is **ntr*l to pro**ssin* *TTP r*qu*sts *n* woul* ** r*sponsi*l* *or *pplyin* t**