CVE-2023-51441

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06	Patch
https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*

History

12 Jan 2024, 21:04

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CWE	~~CWE-20~~	CWE-918
CPE		cpe:2.3:a:apache:axis::::::::
References	~~() https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 -~~	() https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 - Patch
References	~~() https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd -~~	() https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd - Patch, Third Party Advisory
First Time		Apache axis Apache

06 Jan 2024, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-06 12:15

Updated : 2024-08-02 23:15

NVD link : CVE-2023-51441

Mitre link : CVE-2023-51441

CVE.ORG link : CVE-2023-51441

JSON object : View

Products Affected

apache

axis

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2023-51441", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "security@apache.org"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-01-06T12:15:42.997", "references": [{"url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06", "tags": ["Patch"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd", "tags": ["Patch", "Third Party Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n"}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** La vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Axis permiti\u00f3 a los usuarios con acceso al servicio de administraci\u00f3n realizar posibles SSRF. Este problema afecta a Apache Axis: hasta 1.3. Como Axis 1 ha estado en EOL, le recomendamos migrar a un motor SOAP diferente, como Apache Axis 2/Java. Alternativamente, puede usar una compilaci\u00f3n de Axis con el parche de https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 aplicado. El proyecto Apache Axis no espera crear una versi\u00f3n Axis 1.x que solucione este problema, aunque los contribuyentes que deseen trabajar para lograrlo son bienvenidos."}], "lastModified": "2024-08-02T23:15:47.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6E42C7C-08ED-4328-AAB8-FA052541C15B", "versionEndIncluding": "1.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}