| Description: | Summary:
Apache Axis is prone to multiple vulnerabilities.
Vulnerability Insight:
The following vulnerabilities exist:
- CVE-2012-5784: SSL certificate validation security bypass
- CVE-2014-3596: Insecure certificate validation
- CVE-2018-8032: Cross-site scripting (XSS) in the default servlet/services
- CVE-2019-0227: Server-side request forgery (SSRF)
- CVE-2023-40743: Remote code execution (RCE)
- CVE-2023-51441: SSRF
Affected Software/OS:
Apache Axis version 1.4 and prior.
Note: The vulnerability announcement for CVE-2023-40743 from September 2023 and for CVE-2023-51441
from January 2024 mentions 'Apache Axis through 1.3' as being affected. But as the vendor states
that no fix is available it is assumed that the latest available version 1.4 (released on
April 22, 2006) is affected as well.
Solution:
No solution was made available by the vendor. General solution
options are to upgrade to a newer release, disable respective features, remove the product or
replace the product by another one.
Notes:
- Axis 1 has been EOL and the vendor recommend to migrate to a different SOAP engine, such as
Apache Axis2/Java
- Version 1.4 was released on April 22, 2006 and some of the flaws have been fixed only in the SVN
repository which could be used to mitigate these flaws
- The Apache Axis project does not expect to create an Axis 1.x release fixing these flaws
- If the remote installation has been build from the SVN sources or is covered via 'backports' of
a Linux distribution please create an override for this result
CVSS Score:
5.8
CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
