Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API
CVE-2023-51441

7.2HIGH

Key Information:

Vendor: Apache
Status: Apache Axis
Vendor: CVE Published:; 6 January 2024

Summary

An input validation vulnerability in Apache Axis enables users with access to the admin service to potentially execute Server-Side Request Forgery (SSRF) attacks. This vulnerability impacts users of Apache Axis version 1.3 and earlier. As Apache Axis 1 has reached its End of Life (EOL), migrating to a modern SOAP engine, such as Apache Axis 2/Java, is highly recommended. Alternatively, users can utilize a fork of Axis that includes a specific patch designed to remediate the vulnerability. Future releases of Axis 1.x addressing this issue are not anticipated, and community contributions to develop such a release may be welcomed.

Affected Version(s)

Apache Axis 0 <= 1.3

References

https://github.com/apache/axis-axis1-java/commit/685c309f...

patch

https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wm...

vendor-advisory

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 6, 2024
Vulnerability Reserved
Dec 19, 2023

Credit

thiscodecc of MoyunSec Vlab and Bing