cbcvebase.
CVE-2010-1632
published 2010-06-22

CVE-2010-1632: Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32…

PriorityP350high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
22.37%
97.4th percentile
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

Affected

8 ranges
VendorProductVersion rangeFixed in
apacheaxis2<= 1.5.1
apacheaxis2
apacheaxis2
apacheaxis2
apacheaxis2
apachecxf>= 2.0.6 < 2.0.132.0.13
apachecxf>= 2.1 < 2.1.102.1.10
apachecxf>= 2.2.0 < 2.2.92.2.9

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.