CVE-2022-45378 – soap:soap

Package

Manager: maven
Name: soap:soap
Vulnerable Version: >=0.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0836 pctl0.91949

Details

Apache SOAP contains unauthenticated RPCRouterServlet ** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Metadata

Created: 2022-11-14T19:00:19Z
Modified: 2022-11-18T16:11:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-789v-h9hw-38pg/GHSA-789v-h9hw-38pg.json
CWE IDs: ["CWE-287", "CWE-306", "CWE-502"]
Alternative ID: GHSA-789v-h9hw-38pg
Finding: F006
Auto approve: 1