Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-40743

Good to know:

icon

Date: September 5, 2023

** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

Language: Java

Severity Score

Related Resources (6)

https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
https://nvd.nist.gov/vuln/detail/CVE-2023-40743
https://github.com/apache/axis-axis1-java
https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
https://www.mend.io/vulnerability-database/CVE-2023-40743

Severity Score

Weakness Type (CWE)

Input Validation

CWE-20

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

CWE-75

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us