Apache SOAP allows unauthenticated users to potentially invoke arbitrary code
CVE-2022-45378

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Soap
Vendor: CVE Published:; 14 November 2022

Summary

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected Version(s)

Apache SOAP Apache SOAP 2.3

References

https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2...

http://www.openwall.com/lists/oss-security/2022/11/14/4

mailing-list

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2022
Vulnerability Reserved
Nov 14, 2022

Credit

Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue