[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: CVE-2022-40705: Apache SOAP: XML External Entity Injection (XXE) allows unauthenticated users to rea
From: Arnout Engelen <engelen () apache ! org>
Date: 2022-09-22 8:07:35
Message-ID: 5a3c1b0c-c91a-d8f9-5dc0-df404a8b0a60 () apache ! org
[Download RAW message or body]
Severity: important
Description:
** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML External =
Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an=
attacker to read arbitrary files over HTTP. This issue affects Apache SOAP=
version 2.2 and later versions. It is unknown whether previous versions =
are also affected. NOTE: This vulnerability only affects products that are=
no longer supported by the maintainer.
Mitigation:
We do not expect to release a version that fixes this problem. Instead, we =
recommend users to migrate to one of the other actively maintained web =
service stacks such as Apache CXF (https://cxf.apache.org) or Apache Axis =
(https://axis.apache.org).
Apache SOAP is an archived project, with the last release published in 2003=
. This means it is no longer maintained, does not receive updates, and we =
do not commit to publishing CVE's for security problems in this project. =
This advisory is published purely as a courtesy.
Credit:
Apache would like to thank TsungShu Chiu (CHT Security) for reporting this =
issue
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic