Описание
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Ссылки
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
- Mailing ListThird Party Advisory
- Mailing ListVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.3 (включая)
cpe:2.3:a:apache:soap:*:*:*:*:*:*:*:*
EPSS
Процентиль: 89%
0.04512
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-306
CWE-306
Связанные уязвимости
CVSS3: 9.8
github
около 3 лет назад
Apache SOAP contains unauthenticated RPCRouterServlet
EPSS
Процентиль: 89%
0.04512
Низкий
9.8 Critical
CVSS3
Дефекты
CWE-306
CWE-306