Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-45378

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Published

2022-11-14T14:15:10.200

Last Modified

2024-11-21T07:29:08.787

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-306
Type: Secondary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	soap	≤ 2.3	Yes

References

http://www.openwall.com/lists/oss-security/2022/11/14/4 Mailing List, Third Party Advisory ([email protected])
https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31 Mailing List, Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2022/11/14/4 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31 Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)