Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService
Vulnerability Description
** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
CVSS Information
N/A
Vulnerability Type
输入验证不恰当
Vulnerability Title
Apache Axis 输入验证错误漏洞
Vulnerability Description
Apache Axis是美国阿帕奇(Apache)基金会的一个开源、基于XML的Web服务架构。该产品包含了Java和C++语言实现的SOAP服务器,以及各种公用服务及API,以生成和部署Web服务应用。 Apache Axis 1.x版本存在输入验证错误漏洞,该漏洞源于将不受信任的输入传递给ServiceFactory.getService方法时,可能会使应用程序遭受 DoS、SSRF 甚至导致 RCE 的攻击。
CVSS Information
N/A
Vulnerability Type
N/A