Critical vulnerabilities in dependency (Apache CXF)

[StyopinN]

There are a lot of known vulnerabilities in Apache CXF.

For example, very critical CVE-2022-46364 in cxf-core-3.3.9:

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

Reference: https://www.cve.org/CVERecord?id=CVE-2022-46364

Is it possible to update <cxf.version>3.3.9</cxf.version> to latest version (4.0.0 at this moment)? It look like binary incompatible and need some fixes in Winrm4j

[StyopinN]

I have started solution, but have a problem with generating code for client: jaxws/bindings.xml rules should change package name, but they don't

[astharora]

Is anyone working on this?