NVD Vulnerability Detail

CVE-2023-40743

Summary	UNSUPPORTED WHEN ASSIGNED When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
Publication Date	Sept. 6, 2023, 12:15 a.m.
Registration Date	Sept. 6, 2023, 10 a.m.
Last Update	Nov. 21, 2024, 5:20 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:axis::::::::					2023-08-01

Related information, measures and tools

No	URL	タグ
1	https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210	Patch
2	https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210	Patch
3	https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82	Issue Tracking Patch Vendor Advisory
4	https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82	Issue Tracking Patch Vendor Advisory
5	https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
6	https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html

Common Vulnerabilities List

JVN Vulnerability Information

Apache Software Foundation の Apache Axis における入力確認に関する脆弱性

Title	Apache Software Foundation の Apache Axis における入力確認に関する脆弱性
Summary	サポート外本件は、サポートされていない製品における脆弱性です。 Apache Software Foundation の Apache Axis には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 5, 2023, midnight
Registration Date	Dec. 18, 2023, 9:54 a.m.
Last Update	Dec. 18, 2023, 9:54 a.m.

Affected System

Apache Software Foundation

Apache Axis 2023-08-01 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2023-40743	https://www.cve.org/CVERecord?id=CVE-2023-40743
National Vulnerability Database (NVD)
2	CVE-2023-40743	https://nvd.nist.gov/vuln/detail/CVE-2023-40743

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

その他

No	Name	URL
関連文書
1	github.com (7e66753427466590d6def0125e448d2791723210)	https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
2	lists.apache.org (gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82)	https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
3	lists.debian.org (msg00025)	https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html

Change Log

No	Changed Details	Date of change
1	[2023年12月18日] 掲載	Dec. 18, 2023, 9:54 a.m.