Homepage

org.apache.axis2:axis2@1.4.1 vulnerabilities

  • latest version

    1.8.2

  • latest non vulnerable version

    1.8.2

  • first published

    18 years ago

  • latest version published

    2 years ago

  • licenses detected

  • package manager

    View on Maven Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.apache.axis2:axis2 package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack.

    Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks.

    How to fix Cross-site Scripting (XSS)?

    Upgrade axis2 to version 1.7.4 or higher.

    [,1.7.4)
    • M
    Session Fixation

    org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to the widely used Apache Axis SOAP stack.

    Affected versions of this package are vulnerable to Session Fixation in the administrative interface at the path /axis2/axis2-admin. Attacker can exploit this flaw by doing a Cross-Site Scripting (XSS) attack and get his Session cookie and perform session hijacking attack.

    How to fix Session Fixation?

    Upgrade org.apache.axis2:axis2 to version 1.7.4 or higher.

    [,1.7.4)
    • M
    Improper Authentication

    org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack.

    Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.

    [1.1,1.6.3]
    • M
    Improper Certificate Validation

    org.apache.axis2:axis2 is a malicious package. It does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

    How to fix Improper Certificate Validation?

    Upgrade org.apache.axis2:axis2 to version 1.8.0 or higher.

    [,1.8.0)
    • H
    Improper Input Validation

    org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to the widely used Apache Axis SOAP stack.

    Affected versions of this package are vulnerable to Improper Input Validation. It does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

    How to fix Improper Input Validation?

    Upgrade org.apache.axis2:axis2 to version 1.5.2 or higher.

    [0,1.5.2)
    • M
    Cross-site Scripting (XSS)

    org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack.

    Cross-site scripting (XSS) vulnerability in axis2-admin/axis2-admin/engagingglobally in the administration console in Apache Axis2/Java 1.4.1, 1.5.1, and possibly other versions, as used in SAP Business Objects 12, 3com IMC, and possibly other products, allows remote attackers to inject arbitrary web script or HTML via the modules parameter. NOTE: some of these details are obtained from third party information.

    [1.4.1,1.6.0)
    Go back to all versions of this package