Apache Web Services security advisories
Security information for Apache Web Services
Reporting
Do you want disclose a potential security issue for Apache Web Services? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Unrestricted HTTP Redirect Following in Policy References
CVE-2026-42404 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-01T09:46:48.474Z
Affected
- Apache Neethi before 3.2.2
Description
Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
References
Circular Policy Reference Infinite Loop
CVE-2026-42403 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-01T09:36:06.796Z
Affected
- Apache Neethi before 3.2.2
Description
Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause excessive recursion, leading to a stack overflow or application hang. An attacker can craft malicious policy documents with circular references to cause a Denial of Service condition
Users are recommended to upgrade to version 3.2.2, which fixes this issue.
References
Policy Normalization Unbounded Resource Allocation DoS
CVE-2026-42402 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-01T09:35:22.670Z
Affected
- Apache Neethi before 3.2.2
Description
Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocation that exhausts the JVM heap. This occurs when the normalization process generates an excessive number of policy alternatives without bounds, leading to runtime memory exhaustion.
Users should upgrade to 3.2.2 which limits the maximum number of normalized policy alternatives.
References
Apache SOAP allows unauthenticated users to potentially invoke arbitrary code
CVE-2022-45378 [CVE] [CVE json]
Last updated: 2022-11-14T14:06:51.577Z
Affected
- Apache SOAP at 2.3
- Apache SOAP from Apache SOAP before 2.3 unknown
Description
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
References
Credits
- Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue
Apache SOAP: XML External Entity Injection (XXE) allows unauthenticated users to read arbitrary files via HTTP
CVE-2022-40705 [CVE] [CVE json] [OSV json]
Last updated: 2022-09-22T08:11:36.490Z
Affected
- Apache SOAP from 2.2 before Apache SOAP*
Description
An Improper Restriction of XML External Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an attacker to read arbitrary files over HTTP. This issue affects Apache SOAP version 2.2 and later versions. It is unknown whether previous versions are also affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
References
Credits
- Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue