org.apache.axis2:axis2@1.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.axis2:axis2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack.

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks.

How to fix Cross-site Scripting (XSS)?

Upgrade axis2 to version 1.7.4 or higher.

[,1.7.4)
  • M
Session Fixation

org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to the widely used Apache Axis SOAP stack.

Affected versions of this package are vulnerable to Session Fixation in the administrative interface at the path /axis2/axis2-admin. Attacker can exploit this flaw by doing a Cross-Site Scripting (XSS) attack and get his Session cookie and perform session hijacking attack.

How to fix Session Fixation?

Upgrade org.apache.axis2:axis2 to version 1.7.4 or higher.

[,1.7.4)
  • M
Improper Authentication

org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack.

Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.

[1.1,1.6.3]
  • M
Improper Certificate Validation

org.apache.axis2:axis2 is a malicious package. It does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

How to fix Improper Certificate Validation?

Upgrade org.apache.axis2:axis2 to version 1.8.0 or higher.

[,1.8.0)
  • H
Improper Input Validation

org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to the widely used Apache Axis SOAP stack.

Affected versions of this package are vulnerable to Improper Input Validation. It does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

How to fix Improper Input Validation?

Upgrade org.apache.axis2:axis2 to version 1.5.2 or higher.

[0,1.5.2)