{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46364", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9", "dateReserved": "2022-12-02T08:07:46.894Z", "datePublished": "2022-12-13T16:20:26.765Z", "dateUpdated": "2025-04-22T02:48:36.211Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache CXF", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.5.5", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "3.4.10", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "thanat0s from Beijin Qihoo 360 adlab"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. "}], "value": "A SSRF vulnerability in parsing the\u00a0href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u00a0"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-12-13T16:20:26.765Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache CXF SSRF Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:31:46.249Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T02:48:12.377210Z", "id": "CVE-2022-46364", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T02:48:36.211Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:31:46.249Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-46364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-22T02:48:12.377210Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T02:48:32.213Z"}}], "cna": {"title": "Apache CXF SSRF Vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "thanat0s from Beijin Qihoo 360 adlab"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache CXF", "versions": [{"status": "affected", "version": "0", "lessThan": "3.5.5", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "3.4.10", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A SSRF vulnerability in parsing the\u00a0href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u00a0", "supportingMedia": [{"type": "text/html", "value": "A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2022-12-13T16:20:26.765Z"}}}, "cveMetadata": {"cveId": "CVE-2022-46364", "state": "PUBLISHED", "dateUpdated": "2025-04-22T02:48:36.211Z", "dateReserved": "2022-12-02T08:07:46.894Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2022-12-13T16:20:26.765Z", "requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "17B5E32D-A436-4C79-BEE9-6A2DB162DC66", "versionEndExcluding": "3.4.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*", "matchCriteriaId": "11EC4474-4CB6-47CD-9E3D-A998A3C7226C", "versionEndExcluding": "3.5.5", "versionStartIncluding": "3.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A SSRF vulnerability in parsing the\u00a0href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u00a0"}, {"lang": "es", "value": "Una vulnerabilidad SSRF al analizar el atributo href de XOP: Incluir en solicitudes MTOM en versiones de Apache CXF anteriores a 3.5.5 y 3.4.10 permite a un atacante realizar ataques de estilo SSRF en servicios web que toman al menos un par\u00e1metro de cualquier tipo."}], "id": "CVE-2022-46364", "lastModified": "2025-04-22T03:15:20.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-12-13T17:15:17.587", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0164", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "CXF", "product_name": "EAP 7.4 async", "release_date": "2023-01-12T00:00:00Z"}, {"advisory": "RHSA-2023:1285", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "org.keycloak-keycloak-parent", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2023-03-16T00:00:00Z"}, {"advisory": "RHSA-2023:1286", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-container-rhel8:1.0-22", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2023-03-16T00:00:00Z"}, {"advisory": "RHSA-2023:2041", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.1::el8", "package": "mta/mta-windup-addon-rhel8:6.1.0-11", "product_name": "MTA-6.1-RHEL-8", "release_date": "2023-04-27T00:00:00Z"}, {"advisory": "RHSA-2023:0483", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "CXF", "product_name": "Red Hat Fuse 7.11.1.P1", "release_date": "2023-01-26T00:00:00Z"}, {"advisory": "RHSA-2023:3954", "cpe": "cpe:/a:redhat:jboss_fuse:7", "product_name": "Red Hat Fuse 7.12", "release_date": "2023-06-29T00:00:00Z"}, {"advisory": "RHSA-2023:0556", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "CXF", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-apache-sshd", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-elytron-web", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-hal-console", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-hibernate-search", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-ironjacamar", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jackson-annotations", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jackson-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jackson-databind", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jackson-jaxrs-providers", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jackson-modules-base", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jackson-modules-java8", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-javaee-security-soteria", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-ejb-client", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-jsf-api_2.3_spec", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-jsp-api_2.3_spec", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-remoting", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-server-migration", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jettison", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-elytron", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-woodstox-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-apache-sshd", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-elytron-web", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-hal-console", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-hibernate-search", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-ironjacamar", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jackson-annotations", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jackson-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jackson-databind", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jackson-jaxrs-providers", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jackson-modules-base", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jackson-modules-java8", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-javaee-security-soteria", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-ejb-client", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-jsf-api_2.3_spec", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-jsp-api_2.3_spec", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-remoting", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-server-migration", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jettison", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-elytron", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-woodstox-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-apache-sshd", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-elytron-web", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-hal-console", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-hibernate-search", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-ironjacamar", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jackson-annotations", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jackson-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jackson-databind", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jackson-jaxrs-providers", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jackson-modules-base", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jackson-modules-java8", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-javaee-security-soteria", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-ejb-client", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-jsf-api_2.3_spec", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-jsp-api_2.3_spec", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-remoting", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-server-migration", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jettison", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-elytron", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-woodstox-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2024:10208", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package": "eap7-apache-cxf-0:3.1.16-3.SP1_redhat_00001.1.ep7.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-apache-cxf-0:3.4.10-1.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-avro-0:1.7.6-8.redhat_00003.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-h2database-0:1.4.197-3.redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jboss-annotations-api_1.3_spec-0:2.0.1-4.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jboss-marshalling-0:2.0.15-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jboss-server-migration-0:1.7.2-12.Final_redhat_00013.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-jboss-xnio-base-0:3.7.13-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-log4j-jboss-logmanager-0:1.2.2-2.Final_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-wildfly-0:7.3.11-4.GA_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-wss4j-0:2.3.3-2.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-xalan-j2-0:2.7.1-38.redhat_00015.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2024:10207", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package": "eap7-xml-security-0:2.2.3-2.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date": "2024-11-25T00:00:00Z"}, {"advisory": "RHSA-2023:0163", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-01-12T00:00:00Z"}, {"advisory": "RHSA-2023:0163", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-01-12T00:00:00Z"}, {"advisory": "RHSA-2023:0163", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-apache-cxf-0:3.4.10-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-01-12T00:00:00Z"}, {"advisory": "RHSA-2023:1049", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6", "product_name": "Red Hat Single Sign-On 7", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1043", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "impact": "low", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1044", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "impact": "low", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1045", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "impact": "low", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1047", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-20", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:0544", "cpe": "cpe:/a:redhat:camel_spring_boot:3.14.5", "package": "CXF", "product_name": "RHINT Camel-Springboot 3.14.5.P1", "release_date": "2023-01-30T00:00:00Z"}, {"advisory": "RHSA-2023:3641", "cpe": "cpe:/a:redhat:camel_spring_boot:3.18", "product_name": "RHINT Camel-Springboot 3.18.3.P2", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:2135", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "CXF", "product_name": "RHPAM 7.13.1 async", "release_date": "2023-05-04T00:00:00Z"}], "bugzilla": {"description": "CXF: SSRF Vulnerability", "id": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-918", "details": ["A SSRF vulnerability in parsing the\u00a0href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u00a0", "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type."], "name": "CVE-2022-46364", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Affected", "package_name": "CXF", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "CXF", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "CXF", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "impact": "moderate", "package_name": "CXF", "product_name": "Red Hat Integration Camel Quarkus 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "CXF", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "CXF", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "apache-cxf", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "apache-cxf-xjc-utils", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "CXF", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jbossas-modules-eap", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jboss-on", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jbossws-cxf", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_2-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_3-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_4-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_5-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "org.osgi.core-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "org.osgi.enterprise-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "CXF", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "CXF", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "CXF", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2022-12-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-46364\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-46364\nhttps://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2"], "statement": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "threat_severity": "Important"}