Vulnerability-Lookup

CVE-2023-51441 (GCVE-0-2023-51441)

Vulnerability from cvelistv5 – Published: 2024-01-06 11:59 – Updated: 2025-06-18 15:50 Unsupported When Assigned

Title

Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API

Summary

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

Severity

No CVSS data available.

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

apache

References

2 references

URL	Tags
https://github.com/apache/axis-axis1-java/commit/…	patch
https://lists.apache.org/thread/8nrm5thop8f82pglx…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Axis	Affected: 0 , ≤ 1.3 (semver)

Credits

thiscodecc of MoyunSec Vlab and Bing

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:32:10.187Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-51441",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-08T14:33:06.858230Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-18T15:50:11.058Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.axis:axis-rt-core",
          "product": "Apache Axis",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "thiscodecc of MoyunSec Vlab and Bing"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\u003cbr\u003e\u003cp\u003eThis issue affects Apache Axis: through 1.3.\u003c/p\u003e\u003cp\u003eAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\"\u003ehttps://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\u003c/a\u003e applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\u003c/p\u003e"
            }
          ],
          "value": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "low"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-31T09:07:11.230Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-51441",
    "datePublished": "2024-01-06T11:59:37.769Z",
    "dateReserved": "2023-12-19T13:42:01.233Z",
    "dateUpdated": "2025-06-18T15:50:11.058Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-51441",
      "date": "2026-05-29",
      "epss": "0.00075",
      "percentile": "0.22668"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.3\", \"matchCriteriaId\": \"D6E42C7C-08ED-4328-AAB8-FA052541C15B\"}]}]}]",
      "cveTags": "[{\"sourceIdentifier\": \"security@apache.org\", \"tags\": [\"unsupported-when-assigned\"]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\\nThis issue affects Apache Axis: through 1.3.\\n\\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \\nfixing this problem, though contributors that would like to work towards\\n this are welcome.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"** NO SOPORTADO CUANDO SE ASIGN\\u00d3 ** La vulnerabilidad de validaci\\u00f3n de entrada incorrecta en Apache Axis permiti\\u00f3 a los usuarios con acceso al servicio de administraci\\u00f3n realizar posibles SSRF. Este problema afecta a Apache Axis: hasta 1.3. Como Axis 1 ha estado en EOL, le recomendamos migrar a un motor SOAP diferente, como Apache Axis 2/Java. Alternativamente, puede usar una compilaci\\u00f3n de Axis con el parche de https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 aplicado. El proyecto Apache Axis no espera crear una versi\\u00f3n Axis 1.x que solucione este problema, aunque los contribuyentes que deseen trabajar para lograrlo son bienvenidos.\"}]",
      "id": "CVE-2023-51441",
      "lastModified": "2024-11-21T08:38:07.500",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}]}",
      "published": "2024-01-06T12:15:42.997",
      "references": "[{\"url\": \"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-51441\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2024-01-06T12:15:42.997\",\"lastModified\":\"2025-06-18T16:15:24.110\",\"vulnStatus\":\"Modified\",\"cveTags\":[{\"sourceIdentifier\":\"security@apache.org\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\\nThis issue affects Apache Axis: through 1.3.\\n\\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \\nfixing this problem, though contributors that would like to work towards\\n this are welcome.\\n\\n\"},{\"lang\":\"es\",\"value\":\"** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** La vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Axis permiti\u00f3 a los usuarios con acceso al servicio de administraci\u00f3n realizar posibles SSRF. Este problema afecta a Apache Axis: hasta 1.3. Como Axis 1 ha estado en EOL, le recomendamos migrar a un motor SOAP diferente, como Apache Axis 2/Java. Alternativamente, puede usar una compilaci\u00f3n de Axis con el parche de https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 aplicado. El proyecto Apache Axis no espera crear una versi\u00f3n Axis 1.x que solucione este problema, aunque los contribuyentes que deseen trabajar para lograrlo son bienvenidos.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.3\",\"matchCriteriaId\":\"D6E42C7C-08ED-4328-AAB8-FA052541C15B\"}]}]}],\"references\":[{\"url\":\"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T22:32:10.187Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-51441\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-01-08T14:33:06.858230Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-18T15:50:03.847Z\"}}], \"cna\": {\"tags\": [\"unsupported-when-assigned\"], \"title\": \"Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"thiscodecc of MoyunSec Vlab and Bing\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Axis\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.3\"}], \"packageName\": \"org.apache.axis:axis-rt-core\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\", \"tags\": [\"patch\"]}, {\"url\": \"https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\\nThis issue affects Apache Axis: through 1.3.\\n\\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \\nfixing this problem, though contributors that would like to work towards\\n this are welcome.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\u003cbr\u003e\u003cp\u003eThis issue affects Apache Axis: through 1.3.\u003c/p\u003e\u003cp\u003eAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\\\"\u003ehttps://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06\u003c/a\u003e applied. The Apache Axis project does not expect to create an Axis 1.x release \\nfixing this problem, though contributors that would like to work towards\\n this are welcome.\\n\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918 Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2024-01-31T09:07:11.230Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-51441\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-18T15:50:11.058Z\", \"dateReserved\": \"2023-12-19T13:42:01.233Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2024-01-06T11:59:37.769Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0992

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Sterling	IBM Sterling Connect:Direct Web Services versions 6.3.x antérieures à 6.3.0.10
IBM	Sterling	IBM Sterling B2B Integrator versions 6.2x antérieures à 6.2.0.3
IBM	Sterling	IBM Sterling Transformation Extender versions 10.1.1.x antérieures à 10.1.1.1 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Transformation Extender versions 10.1.2.x antérieures à 10.1.2.1 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Connect:Direct Web Services versions 6.2.x antérieures à 6.2.0.25
IBM	Sterling	IBM Sterling Secure Proxy versions 6.0.x antérireures à 6.0.3.1
IBM	Sterling	IBM Sterling B2B Integrator versions 6.x antérieures à 6.1.2.6
IBM	WebSphere	WebSphere eXtreme Scale versions 8.6.x antérieures à 8.6.1.6 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Transformation Extender versions 10.1.0.x antérieures à 10.1.0.2 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Connect:Direct Web Services versions 6.1.x antérieures à 6.1.0.26
IBM	Sterling	IBM Sterling Control Center versions 6.3.1.x antérieures à 6.3.1.0 iFix03
IBM	Sterling	IBM Sterling Control Center versions 6.2.1.x antérieures à 6.2.1.0 iFix14
IBM	QRadar	QRadar WinCollect Agent versions 10.x antérieures à 10.1.13
IBM	Sterling	IBM Sterling Transformation Extender versions 11.x antérieures à 11.0.0.0 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Secure Proxy versions 6.1.x antérireures à 6.1.0.1

References

Title

Publication Time

CERTFR-2024-AVI-0992

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
IBM	Sterling	IBM Sterling Connect:Direct Web Services versions 6.3.x antérieures à 6.3.0.10
IBM	Sterling	IBM Sterling B2B Integrator versions 6.2x antérieures à 6.2.0.3
IBM	Sterling	IBM Sterling Transformation Extender versions 10.1.1.x antérieures à 10.1.1.1 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Transformation Extender versions 10.1.2.x antérieures à 10.1.2.1 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Connect:Direct Web Services versions 6.2.x antérieures à 6.2.0.25
IBM	Sterling	IBM Sterling Secure Proxy versions 6.0.x antérireures à 6.0.3.1
IBM	Sterling	IBM Sterling B2B Integrator versions 6.x antérieures à 6.1.2.6
IBM	WebSphere	WebSphere eXtreme Scale versions 8.6.x antérieures à 8.6.1.6 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Transformation Extender versions 10.1.0.x antérieures à 10.1.0.2 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Connect:Direct Web Services versions 6.1.x antérieures à 6.1.0.26
IBM	Sterling	IBM Sterling Control Center versions 6.3.1.x antérieures à 6.3.1.0 iFix03
IBM	Sterling	IBM Sterling Control Center versions 6.2.1.x antérieures à 6.2.1.0 iFix14
IBM	QRadar	QRadar WinCollect Agent versions 10.x antérieures à 10.1.13
IBM	Sterling	IBM Sterling Transformation Extender versions 11.x antérieures à 11.0.0.0 avec les derniers correctifs de sécurité
IBM	Sterling	IBM Sterling Secure Proxy versions 6.1.x antérireures à 6.1.0.1

References

Title

Publication Time

CNVD-2024-27494

Vulnerability from cnvd - Published: 2024-06-17

Title

Apache Axis代码问题漏洞

Description

Apache Axis是美国阿帕奇（Apache）基金会的一个开源、基于XML的Web服务架构。该产品包含了Java和C++语言实现的SOAP服务器，以及各种公用服务及API，以生成和部署Web服务应用。 Apache Axis 1.3及之前版本存在安全漏洞，该漏洞源于存在不正确输入验证，有权访问管理服务的攻击者可利用该漏洞执行可能的服务器端请求伪造攻击。

Severity

高

Patch Name

Apache Axis代码问题漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd

Reference

https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06

Impacted products

Name
Apache Axis <=1.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-51441",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-51441"
    }
  },
  "description": "Apache Axis\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f00\u6e90\u3001\u57fa\u4e8eXML\u7684Web\u670d\u52a1\u67b6\u6784\u3002\u8be5\u4ea7\u54c1\u5305\u542b\u4e86Java\u548cC++\u8bed\u8a00\u5b9e\u73b0\u7684SOAP\u670d\u52a1\u5668\uff0c\u4ee5\u53ca\u5404\u79cd\u516c\u7528\u670d\u52a1\u53caAPI\uff0c\u4ee5\u751f\u6210\u548c\u90e8\u7f72Web\u670d\u52a1\u5e94\u7528\u3002\n\nApache Axis 1.3\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u5728\u4e0d\u6b63\u786e\u8f93\u5165\u9a8c\u8bc1\uff0c\u6709\u6743\u8bbf\u95ee\u7ba1\u7406\u670d\u52a1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u53ef\u80fd\u7684\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-27494",
  "openTime": "2024-06-17",
  "patchDescription": "Apache Axis\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u5f00\u6e90\u3001\u57fa\u4e8eXML\u7684Web\u670d\u52a1\u67b6\u6784\u3002\u8be5\u4ea7\u54c1\u5305\u542b\u4e86Java\u548cC++\u8bed\u8a00\u5b9e\u73b0\u7684SOAP\u670d\u52a1\u5668\uff0c\u4ee5\u53ca\u5404\u79cd\u516c\u7528\u670d\u52a1\u53caAPI\uff0c\u4ee5\u751f\u6210\u548c\u90e8\u7f72Web\u670d\u52a1\u5e94\u7528\u3002\r\n\r\nApache Axis 1.3\u53ca\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5b58\u5728\u4e0d\u6b63\u786e\u8f93\u5165\u9a8c\u8bc1\uff0c\u6709\u6743\u8bbf\u95ee\u7ba1\u7406\u670d\u52a1\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u53ef\u80fd\u7684\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u653b\u51fb\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Axis\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Axis \u003c=1.3"
  },
  "referenceLink": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06",
  "serverity": "\u9ad8",
  "submitTime": "2024-01-11",
  "title": "Apache Axis\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2023-51441

Vulnerability from fkie_nvd - Published: 2024-01-06 12:15 - Updated: 2025-06-18 16:15

Severity

7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06	Patch
security@apache.org	https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06	Patch
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	axis	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D6E42C7C-08ED-4328-AAB8-FA052541C15B",
              "versionEndIncluding": "1.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [
    {
      "sourceIdentifier": "security@apache.org",
      "tags": [
        "unsupported-when-assigned"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n"
    },
    {
      "lang": "es",
      "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** La vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Axis permiti\u00f3 a los usuarios con acceso al servicio de administraci\u00f3n realizar posibles SSRF. Este problema afecta a Apache Axis: hasta 1.3. Como Axis 1 ha estado en EOL, le recomendamos migrar a un motor SOAP diferente, como Apache Axis 2/Java. Alternativamente, puede usar una compilaci\u00f3n de Axis con el parche de https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 aplicado. El proyecto Apache Axis no espera crear una versi\u00f3n Axis 1.x que solucione este problema, aunque los contribuyentes que deseen trabajar para lograrlo son bienvenidos."
    }
  ],
  "id": "CVE-2023-51441",
  "lastModified": "2025-06-18T16:15:24.110",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-01-06T12:15:42.997",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-HR2C-P8RH-238H

Vulnerability from github – Published: 2024-01-06 12:30 – Updated: 2024-03-14 21:57

Summary

Apache Axis Improper Input Validation vulnerability

Details

** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF. This issue affects Apache Axis through 1.3.

As Axis 1 has been EOL, we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

Severity

7.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.axis:axis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "axis:axis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-08T15:49:03Z",
    "nvd_published_at": "2024-01-06T12:15:42Z",
    "severity": "HIGH"
  },
  "details": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF.\nThis issue affects Apache Axis through 1.3.\n\nAs Axis 1 has been EOL, we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards this are welcome.",
  "id": "GHSA-hr2c-p8rh-238h",
  "modified": "2024-03-14T21:57:50Z",
  "published": "2024-01-06T12:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51441"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/axis-axis1-java"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Axis Improper Input Validation vulnerability"
}

GSD-2023-51441

Vulnerability from gsd - Updated: 2023-12-21 06:01

Details

** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF This issue affects Apache Axis: through 1.3. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied. The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.

Aliases

CVE-2023-51441

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-51441"
      ],
      "details": "** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n",
      "id": "GSD-2023-51441",
      "modified": "2023-12-21T06:01:31.664784Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2023-51441",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Axis",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "0",
                          "version_value": "1.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "thiscodecc of MoyunSec Vlab and Bing"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-918",
                "lang": "eng",
                "value": "CWE-918 Server-Side Request Forgery (SSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06",
            "refsource": "MISC",
            "url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06"
          },
          {
            "name": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "D6E42C7C-08ED-4328-AAB8-FA052541C15B",
                    "versionEndIncluding": "1.3",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n"
          },
          {
            "lang": "es",
            "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** La vulnerabilidad de validaci\u00f3n de entrada incorrecta en Apache Axis permiti\u00f3 a los usuarios con acceso al servicio de administraci\u00f3n realizar posibles SSRF. Este problema afecta a Apache Axis: hasta 1.3. Como Axis 1 ha estado en EOL, le recomendamos migrar a un motor SOAP diferente, como Apache Axis 2/Java. Alternativamente, puede usar una compilaci\u00f3n de Axis con el parche de https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 aplicado. El proyecto Apache Axis no espera crear una versi\u00f3n Axis 1.x que solucione este problema, aunque los contribuyentes que deseen trabajar para lograrlo son bienvenidos."
          }
        ],
        "id": "CVE-2023-51441",
        "lastModified": "2024-04-11T01:22:44.317",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.2,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2024-01-06T12:15:42.997",
        "references": [
          {
            "source": "security@apache.org",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-918"
              }
            ],
            "source": "security@apache.org",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-918"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

OPENSUSE-SU-2024:13659-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

axis-1.4-307.1 on GA media

Severity

Moderate

Notes

Title of the patch: axis-1.4-307.1 on GA media

Description of the patch: These are all security issues fixed in the axis-1.4-307.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13659

CVE-2023-51441

4.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:axis-1.4-307.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:axis-1.4-307.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:axis-1.4-307.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:axis-1.4-307.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:axis-manual-1.4-307.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:axis-manual-1.4-307.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:axis-manual-1.4-307.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:axis-manual-1.4-307.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2023-51441/	self
https://www.suse.com/security/cve/CVE-2023-51441	external
https://bugzilla.suse.com/1218605	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "axis-1.4-307.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the axis-1.4-307.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13659",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13659-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-51441 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-51441/"
      }
    ],
    "title": "axis-1.4-307.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13659-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "axis-1.4-307.1.aarch64",
                "product": {
                  "name": "axis-1.4-307.1.aarch64",
                  "product_id": "axis-1.4-307.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "axis-manual-1.4-307.1.aarch64",
                "product": {
                  "name": "axis-manual-1.4-307.1.aarch64",
                  "product_id": "axis-manual-1.4-307.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "axis-1.4-307.1.ppc64le",
                "product": {
                  "name": "axis-1.4-307.1.ppc64le",
                  "product_id": "axis-1.4-307.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "axis-manual-1.4-307.1.ppc64le",
                "product": {
                  "name": "axis-manual-1.4-307.1.ppc64le",
                  "product_id": "axis-manual-1.4-307.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "axis-1.4-307.1.s390x",
                "product": {
                  "name": "axis-1.4-307.1.s390x",
                  "product_id": "axis-1.4-307.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "axis-manual-1.4-307.1.s390x",
                "product": {
                  "name": "axis-manual-1.4-307.1.s390x",
                  "product_id": "axis-manual-1.4-307.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "axis-1.4-307.1.x86_64",
                "product": {
                  "name": "axis-1.4-307.1.x86_64",
                  "product_id": "axis-1.4-307.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "axis-manual-1.4-307.1.x86_64",
                "product": {
                  "name": "axis-manual-1.4-307.1.x86_64",
                  "product_id": "axis-manual-1.4-307.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-307.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-1.4-307.1.aarch64"
        },
        "product_reference": "axis-1.4-307.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-307.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-1.4-307.1.ppc64le"
        },
        "product_reference": "axis-1.4-307.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-307.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-1.4-307.1.s390x"
        },
        "product_reference": "axis-1.4-307.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-307.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-1.4-307.1.x86_64"
        },
        "product_reference": "axis-1.4-307.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-manual-1.4-307.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-manual-1.4-307.1.aarch64"
        },
        "product_reference": "axis-manual-1.4-307.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-manual-1.4-307.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-manual-1.4-307.1.ppc64le"
        },
        "product_reference": "axis-manual-1.4-307.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-manual-1.4-307.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-manual-1.4-307.1.s390x"
        },
        "product_reference": "axis-manual-1.4-307.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-manual-1.4-307.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:axis-manual-1.4-307.1.x86_64"
        },
        "product_reference": "axis-manual-1.4-307.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-51441",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-51441"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:axis-1.4-307.1.aarch64",
          "openSUSE Tumbleweed:axis-1.4-307.1.ppc64le",
          "openSUSE Tumbleweed:axis-1.4-307.1.s390x",
          "openSUSE Tumbleweed:axis-1.4-307.1.x86_64",
          "openSUSE Tumbleweed:axis-manual-1.4-307.1.aarch64",
          "openSUSE Tumbleweed:axis-manual-1.4-307.1.ppc64le",
          "openSUSE Tumbleweed:axis-manual-1.4-307.1.s390x",
          "openSUSE Tumbleweed:axis-manual-1.4-307.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-51441",
          "url": "https://www.suse.com/security/cve/CVE-2023-51441"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1218605 for CVE-2023-51441",
          "url": "https://bugzilla.suse.com/1218605"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:axis-1.4-307.1.aarch64",
            "openSUSE Tumbleweed:axis-1.4-307.1.ppc64le",
            "openSUSE Tumbleweed:axis-1.4-307.1.s390x",
            "openSUSE Tumbleweed:axis-1.4-307.1.x86_64",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.aarch64",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.ppc64le",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.s390x",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:axis-1.4-307.1.aarch64",
            "openSUSE Tumbleweed:axis-1.4-307.1.ppc64le",
            "openSUSE Tumbleweed:axis-1.4-307.1.s390x",
            "openSUSE Tumbleweed:axis-1.4-307.1.x86_64",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.aarch64",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.ppc64le",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.s390x",
            "openSUSE Tumbleweed:axis-manual-1.4-307.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-51441"
    }
  ]
}

SUSE-SU-2024:0851-1

Vulnerability from csaf_suse - Published: 2024-03-12 15:18 - Updated: 2024-03-12 15:18

Summary

Security update for axis

Severity

Moderate

Notes

Title of the patch: Security update for axis

Description of the patch: This update for axis fixes the following issues: - CVE-2023-51441: Fixed SSRF when untrusted input is passed to the service admin HTTP API (bsc#1218605).

Patchnames: SUSE-2024-851,SUSE-SLE-SERVER-12-SP5-2024-851

CVE-2023-51441

4.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 2 products

Product	Identifier	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Server 12 SP5:axis-1.4-290.9.1.noarch		—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 12 SP5:axis-1.4-290.9.1.noarch		—	Vendor Fix

Threats

Impact moderate

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1218605	self
https://www.suse.com/security/cve/CVE-2023-51441/	self
https://www.suse.com/security/cve/CVE-2023-51441	external
https://bugzilla.suse.com/1218605	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for axis",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for axis fixes the following issues:\n\n- CVE-2023-51441: Fixed SSRF when untrusted input is passed to the service admin HTTP API (bsc#1218605).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-851,SUSE-SLE-SERVER-12-SP5-2024-851",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0851-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:0851-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20240851-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:0851-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018147.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1218605",
        "url": "https://bugzilla.suse.com/1218605"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-51441 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-51441/"
      }
    ],
    "title": "Security update for axis",
    "tracking": {
      "current_release_date": "2024-03-12T15:18:20Z",
      "generator": {
        "date": "2024-03-12T15:18:20Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:0851-1",
      "initial_release_date": "2024-03-12T15:18:20Z",
      "revision_history": [
        {
          "date": "2024-03-12T15:18:20Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "axis-1.4-290.9.1.noarch",
                "product": {
                  "name": "axis-1.4-290.9.1.noarch",
                  "product_id": "axis-1.4-290.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "axis-javadoc-1.4-290.9.1.noarch",
                "product": {
                  "name": "axis-javadoc-1.4-290.9.1.noarch",
                  "product_id": "axis-javadoc-1.4-290.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "axis-manual-1.4-290.9.1.noarch",
                "product": {
                  "name": "axis-manual-1.4-290.9.1.noarch",
                  "product_id": "axis-manual-1.4-290.9.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles:12:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:12:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-290.9.1.noarch as component of SUSE Linux Enterprise Server 12 SP5",
          "product_id": "SUSE Linux Enterprise Server 12 SP5:axis-1.4-290.9.1.noarch"
        },
        "product_reference": "axis-1.4-290.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 12 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-290.9.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 12 SP5:axis-1.4-290.9.1.noarch"
        },
        "product_reference": "axis-1.4-290.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 12 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-51441",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-51441"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Server 12 SP5:axis-1.4-290.9.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 12 SP5:axis-1.4-290.9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-51441",
          "url": "https://www.suse.com/security/cve/CVE-2023-51441"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1218605 for CVE-2023-51441",
          "url": "https://bugzilla.suse.com/1218605"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Server 12 SP5:axis-1.4-290.9.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:axis-1.4-290.9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Server 12 SP5:axis-1.4-290.9.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 12 SP5:axis-1.4-290.9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-03-12T15:18:20Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-51441"
    }
  ]
}

SUSE-SU-2024:0852-1

Vulnerability from csaf_suse - Published: 2024-03-12 15:18 - Updated: 2024-03-12 15:18

Summary

Security update for axis

Severity

Moderate

Notes

Title of the patch: Security update for axis

Description of the patch: This update for axis fixes the following issues: - CVE-2023-51441: Fixed SSRF when untrusted input is passed to the service admin HTTP API (bsc#1218605).

Patchnames: SUSE-2024-852,SUSE-SLE-Module-Basesystem-15-SP5-2024-852,openSUSE-SLE-15.5-2024-852

CVE-2023-51441

4.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP5:axis-1.4-150200.13.9.1.noarch	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:axis-1.4-150200.13.9.1.noarch	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.5:axis-manual-1.4-150200.13.9.1.noarch	—	Vendor Fix

Threats

Impact moderate

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1218605	self
https://www.suse.com/security/cve/CVE-2023-51441/	self
https://www.suse.com/security/cve/CVE-2023-51441	external
https://bugzilla.suse.com/1218605	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for axis",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for axis fixes the following issues:\n\n\n- CVE-2023-51441: Fixed SSRF when untrusted input is passed to the service admin HTTP API (bsc#1218605).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-852,SUSE-SLE-Module-Basesystem-15-SP5-2024-852,openSUSE-SLE-15.5-2024-852",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_0852-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:0852-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20240852-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:0852-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-March/018146.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1218605",
        "url": "https://bugzilla.suse.com/1218605"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-51441 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-51441/"
      }
    ],
    "title": "Security update for axis",
    "tracking": {
      "current_release_date": "2024-03-12T15:18:31Z",
      "generator": {
        "date": "2024-03-12T15:18:31Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:0852-1",
      "initial_release_date": "2024-03-12T15:18:31Z",
      "revision_history": [
        {
          "date": "2024-03-12T15:18:31Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "axis-1.4-150200.13.9.1.noarch",
                "product": {
                  "name": "axis-1.4-150200.13.9.1.noarch",
                  "product_id": "axis-1.4-150200.13.9.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "axis-manual-1.4-150200.13.9.1.noarch",
                "product": {
                  "name": "axis-manual-1.4-150200.13.9.1.noarch",
                  "product_id": "axis-manual-1.4-150200.13.9.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15 SP5",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-150200.13.9.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP5:axis-1.4-150200.13.9.1.noarch"
        },
        "product_reference": "axis-1.4-150200.13.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-1.4-150200.13.9.1.noarch as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:axis-1.4-150200.13.9.1.noarch"
        },
        "product_reference": "axis-1.4-150200.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "axis-manual-1.4-150200.13.9.1.noarch as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:axis-manual-1.4-150200.13.9.1.noarch"
        },
        "product_reference": "axis-manual-1.4-150200.13.9.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-51441",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-51441"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Axis allowed users with access to the admin service to perform possible SSRF\nThis issue affects Apache Axis: through 1.3.\n\nAs Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. Alternatively you could use a build of Axis with the patch from  https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06  applied. The Apache Axis project does not expect to create an Axis 1.x release \nfixing this problem, though contributors that would like to work towards\n this are welcome.\n\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP5:axis-1.4-150200.13.9.1.noarch",
          "openSUSE Leap 15.5:axis-1.4-150200.13.9.1.noarch",
          "openSUSE Leap 15.5:axis-manual-1.4-150200.13.9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-51441",
          "url": "https://www.suse.com/security/cve/CVE-2023-51441"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1218605 for CVE-2023-51441",
          "url": "https://bugzilla.suse.com/1218605"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP5:axis-1.4-150200.13.9.1.noarch",
            "openSUSE Leap 15.5:axis-1.4-150200.13.9.1.noarch",
            "openSUSE Leap 15.5:axis-manual-1.4-150200.13.9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP5:axis-1.4-150200.13.9.1.noarch",
            "openSUSE Leap 15.5:axis-1.4-150200.13.9.1.noarch",
            "openSUSE Leap 15.5:axis-manual-1.4-150200.13.9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-03-12T15:18:31Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-51441"
    }
  ]
}

WID-SEC-W-2025-0488

Vulnerability from csaf_certbund - Published: 2025-03-05 23:00 - Updated: 2025-03-05 23:00

Summary

IBM FileNet Content Manager: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Severity

Mittel

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: IBM FileNet Content Manager ist die Content-Management-Lösung für die FileNet P8-Plattform.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM FileNet Content Manager ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2023-51441

Affected products

Known affected 5 products

Product	Identifier	Version	Remediation
IBM FileNet Content Manager <5.5.8.0-P8CSS-IF009 IBM / FileNet Content Manager		<5.5.8.0-P8CSS-IF009
IBM FileNet Content Manager <5.5.8.0-P8CPE-IF009 IBM / FileNet Content Manager		<5.5.8.0-P8CPE-IF009
IBM FileNet Content Manager <5.5.12.0-P8CSS-IF004 IBM / FileNet Content Manager		<5.5.12.0-P8CSS-IF004
IBM FileNet Content Manager <5.5.12.0-P8CPE-IF004 IBM / FileNet Content Manager		<5.5.12.0-P8CPE-IF004
IBM FileNet Content Manager <5.6.0.0-P8CPE-IF002 IBM / FileNet Content Manager		<5.6.0.0-P8CPE-IF002

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.ibm.com/support/pages/node/7184914	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM FileNet Content Manager ist die Content-Management-L\u00f6sung f\u00fcr die FileNet P8-Plattform.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM FileNet Content Manager ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0488 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0488.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0488 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0488"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2025-03-05",
        "url": "https://www.ibm.com/support/pages/node/7184914"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM FileNet Content Manager: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2025-03-05T23:00:00.000+00:00",
      "generator": {
        "date": "2025-03-06T09:15:17.271+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0488",
      "initial_release_date": "2025-03-05T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-03-05T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c5.6.0.0-P8CPE-IF002",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.6.0.0-P8CPE-IF002",
                  "product_id": "T041603"
                }
              },
              {
                "category": "product_version",
                "name": "5.6.0.0-P8CPE-IF002",
                "product": {
                  "name": "IBM FileNet Content Manager 5.6.0.0-P8CPE-IF002",
                  "product_id": "T041603-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.6.0.0-p8cpe-if002"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.5.12.0-P8CPE-IF004",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.5.12.0-P8CPE-IF004",
                  "product_id": "T041604"
                }
              },
              {
                "category": "product_version",
                "name": "5.5.12.0-P8CPE-IF004",
                "product": {
                  "name": "IBM FileNet Content Manager 5.5.12.0-P8CPE-IF004",
                  "product_id": "T041604-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.5.12.0-p8cpe-if004"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.5.12.0-P8CSS-IF004",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.5.12.0-P8CSS-IF004",
                  "product_id": "T041605"
                }
              },
              {
                "category": "product_version",
                "name": "5.5.12.0-P8CSS-IF004",
                "product": {
                  "name": "IBM FileNet Content Manager 5.5.12.0-P8CSS-IF004",
                  "product_id": "T041605-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.5.12.0-p8css-if004"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.5.8.0-P8CPE-IF009",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.5.8.0-P8CPE-IF009",
                  "product_id": "T041606"
                }
              },
              {
                "category": "product_version",
                "name": "5.5.8.0-P8CPE-IF009",
                "product": {
                  "name": "IBM FileNet Content Manager 5.5.8.0-P8CPE-IF009",
                  "product_id": "T041606-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.5.8.0-p8cpe-if009"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c5.5.8.0-P8CSS-IF009",
                "product": {
                  "name": "IBM FileNet Content Manager \u003c5.5.8.0-P8CSS-IF009",
                  "product_id": "T041607"
                }
              },
              {
                "category": "product_version",
                "name": "5.5.8.0-P8CSS-IF009",
                "product": {
                  "name": "IBM FileNet Content Manager 5.5.8.0-P8CSS-IF009",
                  "product_id": "T041607-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:filenet_content_manager:5.5.8.0-p8css-if009"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "FileNet Content Manager"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-51441",
      "product_status": {
        "known_affected": [
          "T041607",
          "T041606",
          "T041605",
          "T041604",
          "T041603"
        ]
      },
      "release_date": "2025-03-05T23:00:00.000+00:00",
      "title": "CVE-2023-51441"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-51441 (GCVE-0-2023-51441)

Solutions

Solutions

Tags

Sightings

Nomenclature