Remote Directory Listing and Code Exfiltration Vulnerability in Apache CXF

Remote Directory Listing and Code Exfiltration Vulnerability in Apache CXF

CVE-2022-46363 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

Learn more about our Cis Benchmark Audit For Apache Http Server.