CVE-2022-46364
SSRF vulnerability in cxf-core (Maven)
What is CVE-2022-46364 About?
This vulnerability is a Server-Side Request Forgery (SSRF) flaw in Apache CXF's MTOM request parsing. It allows attackers to trigger requests from the server to arbitrary URLs, potentially leading to information disclosure or internal network access, and is moderately easy to exploit if the conditions are met.
Affected Software
- org.apache.cxf:cxf-core
- >3.5.0, <3.5.5
- <3.4.10
Technical Details
The SSRF vulnerability resides in how Apache CXF versions before 3.5.5 and 3.4.10 parse the href attribute within an XOP:Include element in MTOM (Message Transmission Optimization Mechanism) requests. An attacker can craft a malicious MTOM request where the href attribute points to an internal or arbitrary external URL. When the affected webservice processes this request, it attempts to resolve and fetch content from the URL specified in the href, causing the server to make requests on the attacker's behalf. This bypasses typical network segmentation and can be used to access internal resources or scan internal networks.
What is the Impact of CVE-2022-46364?
Successful exploitation may allow attackers to make arbitrary requests from the server, potentially leading to information disclosure, port scanning of internal networks, or bypassing network access controls.
What is the Exploitability of CVE-2022-46364?
Exploitation requires the ability to send MTOM requests to an Apache CXF webservice that accepts at least one parameter of any type. The complexity is moderate, involving the crafting of a specific MTOM payload. No specific authentication or elevated privileges are strictly required, as the attack targets the parsing mechanism of standard webservice requests. This is a remote attack. A special condition is that the webservice must be configured to process MTOM requests and accept at least one parameter. Risk factors include public-facing webservices that are susceptible to arbitrary XML or SOAP input, allowing attackers to manipulate the XOP:Include href attribute.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-46364?
Available Upgrade Options
- org.apache.cxf:cxf-core
- <3.4.10 → Upgrade to 3.4.10
- org.apache.cxf:cxf-core
- >3.5.0, <3.5.5 → Upgrade to 3.5.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-46364
- https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2
- https://osv.dev/vulnerability/GHSA-x3x3-qwjq-8gj4
- https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2
What are Similar Vulnerabilities to CVE-2022-46364?
Similar Vulnerabilities: CVE-2021-43907 , CVE-2021-26855 , CVE-2020-11651 , CVE-2022-26134 , CVE-2021-22946
