Veracode Vulnerability DatabaseVERACODE:48140Server-side Request Forgery (SSRF)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
53.3%
org.apache.cxf:cxf-rt-rs-service-description is vulnerable to Server-side Request Forgery (SSRF). The vulnerability is due to insufficient validation of the stylesheetReference and path parameters, which can be exploited by an attacker to perform SSRF style attacks. Note that this vulnerability is only exploitable when a custom stylesheet parameter is configured.
References
github.com/advisories/GHSA-5m3j-pxh7-455p
github.com/apache/cxf/commit/378afe1acb7503315bc63555c8743db0f55d8312
github.com/apache/cxf/commit/bafb0cadf723fc3962031c34f1f20dc0e8b7a36b
github.com/apache/cxf/commit/df2241c59481a57aebb1c0693b778a35baaf5570
lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
53.3%