{"id":"CVE-2022-46363","details":"A vulnerability in Apache CXF before versions 3.5.5 and 3.4.10 allows an attacker to perform a remote directory listing or code exfiltration. The vulnerability only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, and so the vulnerability can only arise if the CXF service is misconfigured.\n\n","aliases":["GHSA-3w37-5p3p-jv92"],"modified":"2026-04-10T04:52:38.939324Z","published":"2022-12-13T15:15:11.677Z","references":[{"type":"ADVISORY","url":"https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cxf","events":[{"introduced":"0"},{"fixed":"c1cb4f5ffa1ec63e577644659c5957a3c1e94255"},{"introduced":"f93a0cea91c19c41338d96899a69bb66c463e9ff"},{"fixed":"dc4477f563acddc522018d9ef817304096b57a70"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.4.10"},{"introduced":"3.5.0"},{"fixed":"3.5.5"}]}}],"versions":["cxf-2.1","cxf-2.1.2","cxf-2.2","cxf-2.2.1","cxf-2.2.2","cxf-2.3.0","cxf-2.4.0","cxf-2.5.0","cxf-2.5.1","cxf-2.6.0","cxf-2.6.1","cxf-2.7.0","cxf-2.7.1","cxf-2.7.2","cxf-3.0.0","cxf-3.0.0-milestone2","cxf-3.1.0","cxf-3.1.1","cxf-3.1.2","cxf-3.1.3","cxf-3.1.4","cxf-3.2.0","cxf-3.2.1","cxf-3.2.2","cxf-3.2.3","cxf-3.2.4","cxf-3.2.5","cxf-3.3.0","cxf-3.3.1","cxf-3.3.2","cxf-3.3.3","cxf-3.4.0","cxf-3.4.1","cxf-3.4.2","cxf-3.4.3","cxf-3.4.4","cxf-3.4.5","cxf-3.4.6","cxf-3.4.7","cxf-3.4.8","cxf-3.4.9","cxf-3.5.0","cxf-3.5.1","cxf-3.5.2","cxf-3.5.3","cxf-3.5.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-46363.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}