10 matches found
UBUNTU-CVE-2026-58501
Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbidexternal is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fix...
EUVD-2026-39577
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import...
CVE-2026-12992
Apicurio Registry is affected by an SSRF flaw in the WSDL handling path. The WSDLReaderAccessor constructs a wsdl4j WSDLReader without disabling javax.wsdl.importDocuments, and with the FULL VALIDITY rule enabled, a Developer-role user can upload a WSDL with attacker-controlled import locations, ...
CVE-2026-12992 Apicurio/apicurio-registry: apicurio-registry: ssrf via wsdl4j import dereference in wsdl full validation
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import...
CVE-2026-12992
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import...
GHSA-4CC2-G9W2-FHF6 Zeep: Server-Side Request Forgery (SSRF)
Summary When parsing a WSDL or XSD document, python-zeep follows transitive references — xsd:import, xsd:include, wsdl:import, and lxml entity/DTD resolution — and will fetch http/https URLs found in those references. The Settings.forbidexternal option, intended to disable this transitive remote...
CVE-2018-20580
The CVE-2018-20580 vulnerability affects SmartBear ReadyAPI 2.5.0 and 2.6.0, where WSDL import functionality can be abused to execute arbitrary Java code via a crafted parameter in a WSDL file. This is supported by multiple public references and exploits describing remote code execution. CVSSv3 b...
OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak...
OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak...
OpenJDK: insecure XML parsing in wsdlimport (JAX-WS, 8182054)
It was discovered that the wsdlimport tool in the JAX-WS component of OpenJDK did not use secure XML parser settings when parsing WSDL XML documents. A specially crafted WSDL document could cause wsdlimport to use an excessive amount of CPU and memory, open connections to other hosts, or leak...