Apache Axis security advisories

Security information for Apache Axis

Reporting

Do you want disclose a potential security issue for Apache Axis? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API

CVE-2023-51441 [CVE] [CVE json] [OSV json]

Last updated: 2024-01-31T09:07:08.922Z

Affected

  • Apache Axis through 1.3

Description

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF

This issue affects Apache Axis: through 1.3.

As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

References

Credits

  • thiscodecc of MoyunSec Vlab and Bing (finder)

Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService

CVE-2023-40743 [CVE] [CVE json] [OSV json]

Last updated: 2023-09-05T14:42:08.579Z

Affected

  • Apache Axis through 1.3

Description

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.

As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

References

Credits

  • Letian Yuan (finder)