[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    CVE-2022-40705: Apache SOAP: XML External Entity Injection (XXE) allows unauthenticated users to rea
From:       Arnout Engelen <engelen () apache ! org>
Date:       2022-09-22 8:07:35
Message-ID: 5a3c1b0c-c91a-d8f9-5dc0-df404a8b0a60 () apache ! org
[Download RAW message or body]

Severity: important

Description:

** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML External =
Entity Reference vulnerability in RPCRouterServlet of Apache SOAP allows an=
 attacker to read arbitrary files over HTTP. This issue affects Apache SOAP=
 version 2.2 and later versions. It is unknown whether previous versions =
are also affected.  NOTE: This vulnerability only affects products that are=
 no longer supported by the maintainer.

Mitigation:

We do not expect to release a version that fixes this problem. Instead, we =
recommend users to migrate to one of the other actively maintained web =
service stacks such as Apache CXF (https://cxf.apache.org) or Apache Axis =
(https://axis.apache.org).

Apache SOAP is an archived project, with the last release published in 2003=
. This means it is no longer maintained, does not receive updates, and we =
do not commit to publishing CVE's for security problems in this project. =
This advisory is published purely as a courtesy.

Credit:

Apache would like to thank TsungShu Chiu (CHT Security) for reporting this =
issue


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]