Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Critical vulnerabilities in dependency (Apache CXF) #164

Open
StyopinN opened this issue Jan 11, 2023 · 2 comments
Open

Critical vulnerabilities in dependency (Apache CXF) #164

StyopinN opened this issue Jan 11, 2023 · 2 comments

Comments

@StyopinN
Copy link

There are a lot of known vulnerabilities in Apache CXF.

For example, very critical CVE-2022-46364 in cxf-core-3.3.9:

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

Reference: https://www.cve.org/CVERecord?id=CVE-2022-46364

Is it possible to update <cxf.version>3.3.9</cxf.version> to latest version (4.0.0 at this moment)? It look like binary incompatible and need some fixes in Winrm4j
@StyopinN StyopinN mentioned this issue Jan 12, 2023
Draft
@StyopinN
Copy link
Author

I have started solution, but have a problem with generating code for client: jaxws/bindings.xml rules should change package name, but they don't

@astharora
Copy link

Is anyone working on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@astharora @StyopinN