Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2023-40743

Published: 05/09/2023 Updated: 11/04/2024
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 0
Subscribe to Axis

Vulnerability Summary

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache axis

Vendor Advisories

Debian CVElist Bug Report Logs: axis: CVE-2023-40743
Debian Bug report logs - #1051288 axis: CVE-2023-40743 Package: src:axis; Maintainer for src:axis is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 5 Sep 2023 20:03:01 UTC Severity: important Tags: security, upstream Found in ...
Amazon Linux AMI: ALAS-2023-1840
** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1x in an application, it may not have been obvious that looking up a service through "ServiceFactorygetService" allows potentially dangerous lookup mechanisms such as LDAP When passing untrusted input to this API method, this could expose the applicatio ...

References

CWE-20https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82https://lists.debian.org/debian-lts-announce/2023/10/msg00025.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051288https://nvd.nist.govhttps://alas.aws.amazon.com/ALAS-2023-1840.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
client sideCVE-2023-31889template injectionCVE-2024-4304CVE-2006-4304CVE-2024-33272type confusionCVE-2024-21345CVE-2024-33271
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook