cbcvebase.
CVE-2022-45378
published 2022-11-14

CVE-2022-45378: In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.25%
80.7th percentile
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachesoap<= 2.3
apache_software_foundationapache_soap

Detection & IOCsextracted from sources · hover to see the quote

  • The RPCRouterServlet endpoint is exposed without authentication in the default Apache SOAP configuration; monitor for unauthenticated HTTP requests targeting this servlet path.
  • Exploitation occurs over HTTP remotely; monitor for suspicious inbound HTTP traffic invoking methods via the RPCRouterServlet that could trigger classpath method execution or RCE.
  • ·The vulnerability is present in the DEFAULT configuration of Apache SOAP — no special setup is required for the RPCRouterServlet to be exposed unauthenticated.
  • ·Exploitability and impact depend heavily on what classes are present on the server's classpath at the time of attack.
  • ·Oracle Fusion Middleware (Portal Core and Third Party components using Apache SOAP) is confirmed affected and was patched in APR 2024 and JUL 2024 CPU advisories.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_oracle9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.