Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMBE0125A0244A48C63EDE3EEB023192A76A967E2BE6D206ACCD9E28DFD20C9EF3
HistoryMay 03, 2023 - 6:01 p.m.

Security Bulletin: IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364

2023-05-0318:01:09
www.ibm.com
6

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.029 Low

EPSS

Percentile

90.6%

JSON

Summary

IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364, affected, not vulnerable

Vulnerability Details

CVEID:CVE-2022-46363
**DESCRIPTION:**Apache CXF could allow a remote attacker to obtain sensitive information, caused by a flaw when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform directory listing or code exfiltration, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242009 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-46364
**DESCRIPTION:**Apache CXF is vulnerable to server-side request forgery, caused by a flaw in parsing the href attribute of XOP:Include in MTOM requests. By using a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM ECM Content Management Interoperability Services (CMIS)

Affected Product(s) Version(s)
CMIS 3.0.7

Remediation/Fixes

To resolve these vulnerabilities, install one of the patch sets listed below to upgrade to cfx-core v3.5.5 released December 13, 2022.

Product VRMF Remediation/First Fix
CMIS 3.0.7 CMIS v3.0.7-IF2 - 4/28/2023

Workarounds and Mitigations

None

CPENameOperatorVersion
filenet content managereq3.0.7

Related

ibm 40
redhat 20
osv 4
cve 2
cnvd 1
redhatcve 2
prion 2
veracode 2
github 2
nessus 12
qualysblog 2
oracle 3
ibm
ibm
Security Bulletin: Apache CXF vulnerability identified in IBM Tivoli Application Dependency Discovery Manager
2024-02-14 07:30:25
Security Bulletin: WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF
2023-02-16 03:56:40
Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache CXF
2024-04-11 13:17:57
redhat
redhat
(RHSA-2023:0483) Critical: Red Hat Fuse 7.11.1.P1 security update
2023-01-26 21:53:56
(RHSA-2023:0544) Important: Red Hat Camel for Spring Boot 3.14.5 Patch 1 release and security update
2023-01-30 17:10:04
(RHSA-2023:0164) Important: Red Hat JBoss Enterprise Application Platform 7.4 security update
2023-01-12 20:48:48
osv
osv
CVE-2022-46364
2022-12-13 17:15:17
Apache CXF vulnerable to Exposure of Sensitive Information
2022-12-13 15:30:27
CVE-2022-46363
2022-12-13 15:15:11
cve
cve
CVE-2022-46364
2022-12-13 17:15:00
CVE-2022-46363
2022-12-13 15:15:00
cnvd
cnvd
Apache CXF input validation error vulnerability
2022-12-16 00:00:00
redhatcve
redhatcve
CVE-2022-46363
2022-12-21 21:04:48
CVE-2022-46364
2022-12-21 22:01:38
prion
prion
Remote code execution
2022-12-13 15:15:00
Server side request forgery (ssrf)
2022-12-13 17:15:00
veracode
veracode
Path Traversal
2022-12-14 03:52:21
Server-side Request Forgery (SSRF)
2022-12-14 02:50:22
github
github
Apache CXF vulnerable to Exposure of Sensitive Information
2022-12-13 15:30:27
Apache CXF Server-Side Request Forgery vulnerability
2022-12-13 18:30:26
nessus
nessus
RHEL 7 / 9 : Red Hat JBoss Enterprise Application Platform 7.4 (RHSA-2023:0163)
2023-01-13 00:00:00
Oracle Business Intelligence Publisher (OBIEE) (July 2023 CPU)
2023-07-21 00:00:00
Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 33 Multiple Vulnerabilities
2023-07-20 00:00:00
qualysblog
qualysblog
Oracle Patch Tuesday April 2023 Security Update Review
2023-04-19 11:47:21
Oracle Patch Tuesday, July 2023 Security Update Review
2023-07-19 15:56:06
oracle
oracle
Oracle Critical Patch Update Advisory - July 2023
2023-07-18 00:00:00
Oracle Critical Patch Update Advisory - April 2023
2023-04-18 00:00:00
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.029 Low

EPSS

Percentile

90.6%

JSON
Related for BE0125A0244A48C63EDE3EEB023192A76A967E2BE6D206ACCD9E28DFD20C9EF3
ibm40redhat20osv4cve2cnvd1redhatcve2prion2veracode2github2nessus12qualysblog2oracle3