CVE-2023-40743Improper Input Validation in Apache Axis

CWE-20Improper Input ValidationCWE-75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)8 documents6 sources
Severity
9.8CRITICALNVD
EPSS
1.0%
top 23.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache AxisApache Software Foundation Apache Axis
Timeline
PublishedSep 5
Latest updateNov 2

Description

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may revie

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDapache/axis< 2023-08-01
Debianapache/axis< 1.4-28+deb11u1+3
Ubuntuapache/axis< 1.4-28+deb10u1build0.20.04.1+3

Patches

Patch: github.comPatch: lists.apache.orgPatch: github.com

🔴Vulnerability Details

5
OSV
axis vulnerability2023-11-02
GHSA
Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService2023-09-05
OSV
CVE-2023-40743: ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 12023-09-05
OSV
Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService2023-09-05
CVEList
Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService2023-09-05

📋Vendor Advisories

2
Ubuntu
Axis vulnerability2023-11-02
Debian
CVE-2023-40743: axis - ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an applicati...2023
CVE-2023-40743 — Improper Input Validation in Apache | cvebase