CVE-2022-46363

CVE-2022-46363: Apache CXF directory listing / code exfiltration

Vendor Apache Software Foundation

Product Apache CXF

Weakness CWE-20 · Input validation

Published December 13, 2022

Last update April 22, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.

Key dates

Disclosure timeline

December 13, 2022 CVE published

April 22, 2025 Record updated

Identifiers

CVE CVE-2022-46363

CWE CWE-20

Affected versions

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 3.5 and < 3.5.5

Vendor Apache Software Foundation

Product Apache CXF

Affected ≥ 3.4 and < 3.4.10