CVE-2022-45378
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache SOAP | Apache SOAP 2.3 | affected |
| Apache Software Foundation | Apache SOAP | Apache SOAP < 2.3 | unknown |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
CVE Program Container
Additional References
- https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
- http://www.openwall.com/lists/oss-security/2022/11/14/4
References
- https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
- http://www.openwall.com/lists/oss-security/2022/11/14/4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.