Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03ODl2LWg5aHctMzhwZ84AAv21
Apache SOAP contains unauthenticated RPCRouterServlet
** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Permalink: https://github.com/advisories/GHSA-789v-h9hw-38pgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ODl2LWg5aHctMzhwZ84AAv21
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-789v-h9hw-38pg, CVE-2022-45378
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-45378
- https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
- http://www.openwall.com/lists/oss-security/2022/11/14/4
- https://github.com/advisories/GHSA-789v-h9hw-38pg
Affected Packages
maven:soap:soap
Dependent packages: 20Dependent repositories: 83
Downloads:
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 2.3.1