Open mend-bolt-for-github[bot] opened 1 year ago
Apache CXF Core
Library home page: http://cxf.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.1.12/cxf-core-3.1.12.jar
Dependency Hierarchy: - cxf-spring-boot-starter-jaxrs-3.1.12.jar (Root Library) - cxf-rt-transports-http-3.1.12.jar - :x: **cxf-core-3.1.12.jar** (Vulnerable Library)
Found in HEAD commit: 5b67285cc4e217cbdc85813b6705fb49ac7e91ab
Found in base branch: master
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
Publish Date: 2022-12-13
URL: CVE-2022-46364
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-x3x3-qwjq-8gj4
Release Date: 2022-12-13
Fix Resolution (org.apache.cxf:cxf-core): 3.4.10
Direct dependency fix Resolution (org.apache.cxf:cxf-spring-boot-starter-jaxrs): 3.2.8
Step up your Open Source Security Game with Mend here
CVE-2022-46364 - Critical Severity Vulnerability
Apache CXF Core
Library home page: http://cxf.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/cxf/cxf-core/3.1.12/cxf-core-3.1.12.jar
Dependency Hierarchy: - cxf-spring-boot-starter-jaxrs-3.1.12.jar (Root Library) - cxf-rt-transports-http-3.1.12.jar - :x: **cxf-core-3.1.12.jar** (Vulnerable Library)
Found in HEAD commit: 5b67285cc4e217cbdc85813b6705fb49ac7e91ab
Found in base branch: master
A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.
Publish Date: 2022-12-13
URL: CVE-2022-46364
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-x3x3-qwjq-8gj4
Release Date: 2022-12-13
Fix Resolution (org.apache.cxf:cxf-core): 3.4.10
Direct dependency fix Resolution (org.apache.cxf:cxf-spring-boot-starter-jaxrs): 3.2.8
Step up your Open Source Security Game with Mend here