In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/11/14/4 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31 | Mailing List Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2022-11-14T00:00:00
Updated: 2024-06-04T17:15:48.082Z
Reserved: 2022-11-14T00:00:00
Link: CVE-2022-45378
JSON object: View
NVD Information
Status : Modified
Published: 2022-11-14T14:15:10.200
Modified: 2024-06-04T19:17:18.987
Link: CVE-2022-45378
JSON object: View
Redhat Information
No data.
CWE