CVE-2022-45378

Published: Nov 14, 2022Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected (1)

Products: Apache: Soap

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Soap	Up to 2.3

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References (4)

http://www.openwall.com/lists/oss-security/2022/11/14/4

Source: security@apache.org

Mailing ListThird Party Advisory

https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2022/11/14/4

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.