CVE-2010-1632 – org.apache.axis2.wso2:axis2

Package

Manager: maven
Name: org.apache.axis2.wso2:axis2
Vulnerable Version: >=0 <1.5.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0881 pctl0.92193

Details

Improper Input Validation in Apache Axis2 Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

Metadata

Created: 2022-05-17T02:22:43Z
Modified: 2022-07-08T18:56:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-23vv-v25h-qwqw/GHSA-23vv-v25h-qwqw.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-23vv-v25h-qwqw
Finding: F184
Auto approve: 1