oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-51441: Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API

From: Arnout Engelen <engelen () apache org>
Date: Fri, 05 Jan 2024 15:20:43 +0000
Severity: low

Affected versions:

- Apache Axis through 1.3

Description:

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the 
admin service to perform possible SSRF
This issue affects Apache Axis: through 1.3.

As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively 
you could use a build of Axis with the patch from  
https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis 
project does not expect to create an Axis 1.x release 
fixing this problem, though contributors that would like to work towards
 this are welcome.

Credit:

thiscodecc of MoyunSec Vlab and Bing (finder)

References:

https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06
https://axis.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-51441
Previous By Date Next
Previous By Thread Next

Current thread: