CVE-2010-1632

CWE-20 — Improper Input Validation8 documents6 sources

Severity

7.5HIGH

EPSS

8.8%

top 7.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Axis2

Timeline

PublishedJun 22

Latest updateMay 17

Description

Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as…

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶Mavenorg.apache.axis2.wso2:axis2< 1.5.2

▶NVDapache/axis21.5.1+4

🔴Vulnerability Details

GHSA

Improper Input Validation in Apache Axis2↗2022-05-17

▶

OSV

Improper Input Validation in Apache Axis2↗2022-05-17

▶

GHSA

Improper Input Validation in Apache CXF↗2022-05-13

▶

CVEList

CVE-2010-1632: Apache Axis2 before 1↗2010-06-22

▶

📋Vendor Advisories

Red Hat

CXF: Insufficient constraints on Document Type Declarations (DTDs)↗2010-06-15

▶

Red Hat

Axis2: Does not properly reject DTDs in SOAP messages↗2009-07-23

▶

💬Community

Bugzilla

CVE-2010-1632 Apache Axis2: Does not properly reject DTDs in SOAP messages↗2010-06-23

▶