Path to dependency file: /test/acceptance/workspaces/mono-repo-project-manifests-only/pom.xml
Path to vulnerable library: /010165519_WMFUQT/downloadResource_SDYYBN/20211010170454/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar
Path to dependency file: /test/acceptance/workspaces/gradle-with-orphaned-build-file/subproj/build.gradle
Path to vulnerable library: /r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar
** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE.
As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
CVE-2023-40743 - Critical Severity Vulnerability
Vulnerable Libraries - axis-1.4.jar, axis-1.3.jar
axis-1.4.jar
An implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.
Library home page: http://ws.apache.org/axis
Path to dependency file: /test/acceptance/workspaces/mono-repo-project-manifests-only/pom.xml
Path to vulnerable library: /010165519_WMFUQT/downloadResource_SDYYBN/20211010170454/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar,/r/.m2/repository/axis/axis/1.4/axis-1.4.jar
Dependency Hierarchy: - :x: **axis-1.4.jar** (Vulnerable Library)
axis-1.3.jar
Path to dependency file: /test/acceptance/workspaces/gradle-with-orphaned-build-file/subproj/build.gradle
Path to vulnerable library: /r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar,/r/.gradle/caches/modules-2/files-2.1/axis/axis/1.3/5292fcc2fd41fb22601db8fa92aed7a4223b4470/axis-1.3.jar
Dependency Hierarchy: - :x: **axis-1.3.jar** (Vulnerable Library)
Found in HEAD commit: 9505f4ca92405cc9273dc3726c2d274ce28a4407
Found in base branch: ALL_HANDS/major-secrets
Vulnerability Details
** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
Publish Date: 2023-09-05
URL: CVE-2023-40743
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here