axis:axis 1.2-RC2 vulnerabilities

Known vulnerabilities in the axis:axis package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the service admin HTTP API, due to improper user input sanitization in the `getService` function of the `ServiceFactory` class. Exploiting this vulnerability allows an attacker to cause the server to make arbitrary requests to unintended locations by sending crafted input to the vulnerable admin service. Note As Axis 1 has been EOL, it is recommended to migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively, you could use a build of Axis with the patch from the [fix commit](https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied). The Apache Axis project does not expect to create an Axis 1.x release How to fix Server-side Request Forgery (SSRF)? There is no fixed version for `axis:axis`.	[0,)
H Improper Input Validation axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. Affected versions of this package are vulnerable to Improper Input Validation via the `ServiceFactory.getService` functionality, which allows potentially dangerous lookup mechanisms. Exploiting this vulnerability is possible when passing untrusted input to this API method and might result in DoS, SSRF and even RCE. Note As Axis 1 has been EOL it is recommended to migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to `ServiceFactory.getService`, or by applying the patch from the commit shared in the references. How to fix Improper Input Validation? There is no fixed version for `axis:axis`.	[0,)
H Remote Code Execution axis:axis is a implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. Affected versions of this package are vulnerable to Remote Code Execution. due to an expired hard coded domain used in a default example service as part of the default install. How to fix Remote Code Execution? There is no fixed version for `axis:axis`.	[0,)
M Cross-site Scripting (XSS) Apache Axis is an open-source, XML based Web service framework. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to not escaping namespace URIs. How to fix Cross-site Scripting (XSS)? A fix has been merged to the master branch but not yet published.	[0,)
M Man-in-the-Middle (MitM) axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It does not verify the requesting server's hostname agains existing domain names in the SSL Certificate. How to fix Man-in-the-Middle (MitM)? There is no fixed version for `axis:axis`.	[0,)
M Man-in-the-Middle (MitM) axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C. Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It does not verify the requesting server's hostname against existing domain names in the SSL Certificate. How to fix Man-in-the-Middle (MitM)? There is no fixed version for `axis:axis`.	[0,)

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the service admin HTTP API, due to improper user input sanitization in the getService function of the ServiceFactory class. Exploiting this vulnerability allows an attacker to cause the server to make arbitrary requests to unintended locations by sending crafted input to the vulnerable admin service.

Note As Axis 1 has been EOL, it is recommended to migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively, you could use a build of Axis with the patch from the [fix commit](https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied).

The Apache Axis project does not expect to create an Axis 1.x release

How to fix Server-side Request Forgery (SSRF)?

There is no fixed version for axis:axis.

[0,)

Improper Input Validation

axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.

Affected versions of this package are vulnerable to Improper Input Validation via the ServiceFactory.getService functionality, which allows potentially dangerous lookup mechanisms. Exploiting this vulnerability is possible when passing untrusted input to this API method and might result in DoS, SSRF and even RCE.

Note

As Axis 1 has been EOL it is recommended to migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to ServiceFactory.getService, or by applying the patch from the commit shared in the references.

How to fix Improper Input Validation?

There is no fixed version for axis:axis.

[0,)

Remote Code Execution

axis:axis is a implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.

Affected versions of this package are vulnerable to Remote Code Execution. due to an expired hard coded domain used in a default example service as part of the default install.

How to fix Remote Code Execution?

There is no fixed version for axis:axis.

[0,)

Cross-site Scripting (XSS)

Apache Axis is an open-source, XML based Web service framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks due to not escaping namespace URIs.

How to fix Cross-site Scripting (XSS)?

A fix has been merged to the master branch but not yet published.

[0,)

Man-in-the-Middle (MitM)

axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It does not verify the requesting server's hostname agains existing domain names in the SSL Certificate.

How to fix Man-in-the-Middle (MitM)?

There is no fixed version for axis:axis.

[0,)

Man-in-the-Middle (MitM)

axis:axis is an implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It does not verify the requesting server's hostname against existing domain names in the SSL Certificate.

How to fix Man-in-the-Middle (MitM)?

There is no fixed version for axis:axis.

[0,)

axis:axis@1.2-RC2 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?