oss-sec mailing list archives
CVE-2023-51441: Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API
From: Arnout Engelen <engelen () apache org>
Date: Fri, 05 Jan 2024 15:20:43 +0000
Severity: low Affected versions: - Apache Axis through 1.3 Description: ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome. Credit: thiscodecc of MoyunSec Vlab and Bing (finder) References: https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 https://axis.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-51441
Current thread:
- CVE-2023-51441: Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API Arnout Engelen (Jan 05)