org.apache.axis2:axis2@1.6.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.axis2:axis2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack.

Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks.

How to fix Cross-site Scripting (XSS)?

Upgrade axis2 to version 1.7.4 or higher.

[,1.7.4)
  • M
Session Fixation

org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to the widely used Apache Axis SOAP stack.

Affected versions of this package are vulnerable to Session Fixation in the administrative interface at the path /axis2/axis2-admin. Attacker can exploit this flaw by doing a Cross-Site Scripting (XSS) attack and get his Session cookie and perform session hijacking attack.

How to fix Session Fixation?

Upgrade org.apache.axis2:axis2 to version 1.7.4 or higher.

[,1.7.4)
  • M
Improper Authentication

org.apache.axis2:axis2 is a Web Services / SOAP / WSDL engine, the successor to Apache Axis SOAP stack.

Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.

[1.1,1.6.3]
  • M
Improper Certificate Validation

org.apache.axis2:axis2 is a malicious package. It does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

How to fix Improper Certificate Validation?

Upgrade org.apache.axis2:axis2 to version 1.8.0 or higher.

[,1.8.0)