CVE-2022-46363
Remote Directory Listing vulnerability in cxf-core (Maven)
What is CVE-2022-46363 About?
This vulnerability in Apache CXF allows for remote directory listing or code exfiltration when the CXFServlet is misconfigured with both `static-resources-list` and `redirect-query-check` attributes. Exploitation requires this specific misconfiguration, making it less straightforward to exploit. The impact includes unauthorized information disclosure.
Affected Software
- org.apache.cxf:cxf-core
- >3.5.0, <3.5.5
- <3.4.10
Technical Details
The vulnerability in Apache CXF versions before 3.5.5 and 3.4.10 arises from an insecure interaction when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes simultaneously. These two attributes are not designed to be used together, and their combined presence creates an exploitable flaw. When misconfigured in this way, an attacker can craft a request that bypasses intended access controls, allowing for remote directory listing or the unauthorized exfiltration of arbitrary code/files from the server. The attack vector involves sending specific HTTP requests to the misconfigured CXF endpoint.
What is the Impact of CVE-2022-46363?
Successful exploitation may allow attackers to gain unauthorized access to directory structures and potentially sensitive files, leading to information disclosure or the exfiltration of application code.
What is the Exploitability of CVE-2022-46363?
Exploitation relies entirely on a specific misconfiguration of the CXFServlet, requiring both static-resources-list and redirect-query-check attributes to be enabled concurrently. The complexity is moderate, as an attacker would first need to identify this precise misconfiguration. No authentication is explicitly required to perform the directory listing or code exfiltration once the misconfiguration is present and the endpoint is accessible. This is a remote exploitation scenario. The special conditions are the two aforementioned CXFServlet attribute settings, which are explicitly stated as not intended for combined use. Risk factors are high if administrators are unaware of this incompatibility or manage configurations carelessly, making systems with such misconfigurations vulnerable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-46363?
Available Upgrade Options
- org.apache.cxf:cxf-core
- <3.4.10 → Upgrade to 3.4.10
- org.apache.cxf:cxf-core
- >3.5.0, <3.5.5 → Upgrade to 3.5.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2022-46363?
Similar Vulnerabilities: CVE-2023-37593 , CVE-2023-29007 , CVE-2023-28432 , CVE-2023-25575 , CVE-2023-24159
