CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.6%
UNSUPPORTED WHEN ASSIGNED When integrating Apache Axis 1.x in an
application, it may not have been obvious that looking up a service through
“ServiceFactory.getService” allows potentially dangerous lookup mechanisms
such as LDAP. When passing untrusted input to this API method, this could
expose the application to DoS, SSRF and even attacks leading to RCE. As
Axis 1 has been EOL we recommend you migrate to a different SOAP engine,
such as Apache Axis 2/Java. As a workaround, you may review your code to
verify no untrusted or unsanitized input is passed to
“ServiceFactory.getService”, or by applying the patch from
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
. The Apache Axis project does not expect to create an Axis 1.x release
fixing this problem, though contributors that would like to work towards
this are welcome.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | axis | < 1.4-25ubuntu0.1~esm1 | UNKNOWN |
ubuntu | 20.04 | noarch | axis | < 1.4-28+deb10u1build0.20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | axis | < 1.4-28+deb10u1build0.22.04.1 | UNKNOWN |
ubuntu | 23.04 | noarch | axis | < 1.4-28+deb10u1build0.23.04.1 | UNKNOWN |
ubuntu | 23.10 | noarch | axis | < 1.4-28+deb10u1build0.23.10.1 | UNKNOWN |
ubuntu | 16.04 | noarch | axis | < 1.4-24ubuntu0.1~esm1 | UNKNOWN |
github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
launchpad.net/bugs/cve/CVE-2023-40743
lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
nvd.nist.gov/vuln/detail/CVE-2023-40743
security-tracker.debian.org/tracker/CVE-2023-40743
ubuntu.com/security/notices/USN-6470-1
www.cve.org/CVERecord?id=CVE-2023-40743
www.openwall.com/lists/oss-security/2023/09/05/1