{"api_version":"1","generated_at":"2026-04-22T22:50:41+00:00","cve":"CVE-2022-46364","urls":{"html":"https://cve.report/CVE-2022-46364","api":"https://cve.report/api/cve/CVE-2022-46364.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-46364","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-46364"},"summary":{"title":"CVE-2022-46364","description":"A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2022-12-13 17:15:00","updated_at":"2023-11-07 03:55:00"},"problem_types":["CWE-918"],"metrics":[],"references":[{"url":"https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2","name":"https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2","refsource":"MISC","tags":[],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-46364","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-46364","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"46364","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"cxf","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-46364","qid":"241061","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4 (RHSA-2023:0163)"},{"cve":"CVE-2022-46364","qid":"241153","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0554)"},{"cve":"CVE-2022-46364","qid":"241154","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0552)"},{"cve":"CVE-2022-46364","qid":"241155","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.9 (RHSA-2023:0553)"},{"cve":"CVE-2022-46364","qid":"378346","title":"IBM WebSphere Application Server Liberty Server-Side Request Forgery (SSRF) Vulnerability (6953767)"},{"cve":"CVE-2022-46364","qid":"378917","title":"IBM Cognos Analytics Multiple Vulnerabilities (7040744)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-46364","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-918 Server-Side Request Forgery (SSRF)","cweId":"CWE-918"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache CXF","version":{"version_data":[{"version_value":"0","version_affected":"="}]}}]}}]}},"references":{"reference_data":[{"url":"https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2","refsource":"MISC","name":"https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"EXTERNAL"},"credits":[{"lang":"en","value":"thanat0s from Beijin Qihoo 360 adlab"}]},"nvd":{"publishedDate":"2022-12-13 17:15:00","lastModifiedDate":"2023-11-07 03:55:00","problem_types":["CWE-918"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*","versionStartIncluding":"3.5.0","versionEndExcluding":"3.5.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*","versionEndExcluding":"3.4.10","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}