7.5

CVE-2010-1632

Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheAxis2 Version <= 1.5.1
   IbmWebsphere Application Server Version7.0
   IbmWebsphere Application Server Version7.0.0.1
   IbmWebsphere Application Server Version7.0.0.2
   IbmWebsphere Application Server Version7.0.0.3
   IbmWebsphere Application Server Version7.0.0.4
   IbmWebsphere Application Server Version7.0.0.5
   IbmWebsphere Application Server Version7.0.0.6
   IbmWebsphere Application Server Version7.0.0.7
   IbmWebsphere Application Server Version7.0.0.8
   IbmWebsphere Application Server Version7.0.0.9
   IbmWebsphere Application Server Version7.0.0.10
   IbmWebsphere Application Server Version7.0.0.11
   IbmWebsphere Application Server Version7.0.0.12
ApacheAxis2 Version1.3
   IbmWebsphere Application Server Version7.0
   IbmWebsphere Application Server Version7.0.0.1
   IbmWebsphere Application Server Version7.0.0.2
   IbmWebsphere Application Server Version7.0.0.3
   IbmWebsphere Application Server Version7.0.0.4
   IbmWebsphere Application Server Version7.0.0.5
   IbmWebsphere Application Server Version7.0.0.6
   IbmWebsphere Application Server Version7.0.0.7
   IbmWebsphere Application Server Version7.0.0.8
   IbmWebsphere Application Server Version7.0.0.9
   IbmWebsphere Application Server Version7.0.0.10
   IbmWebsphere Application Server Version7.0.0.11
   IbmWebsphere Application Server Version7.0.0.12
ApacheAxis2 Version1.4
   IbmWebsphere Application Server Version7.0
   IbmWebsphere Application Server Version7.0.0.1
   IbmWebsphere Application Server Version7.0.0.2
   IbmWebsphere Application Server Version7.0.0.3
   IbmWebsphere Application Server Version7.0.0.4
   IbmWebsphere Application Server Version7.0.0.5
   IbmWebsphere Application Server Version7.0.0.6
   IbmWebsphere Application Server Version7.0.0.7
   IbmWebsphere Application Server Version7.0.0.8
   IbmWebsphere Application Server Version7.0.0.9
   IbmWebsphere Application Server Version7.0.0.10
   IbmWebsphere Application Server Version7.0.0.11
   IbmWebsphere Application Server Version7.0.0.12
ApacheAxis2 Version1.4.1
   IbmWebsphere Application Server Version7.0
   IbmWebsphere Application Server Version7.0.0.1
   IbmWebsphere Application Server Version7.0.0.2
   IbmWebsphere Application Server Version7.0.0.3
   IbmWebsphere Application Server Version7.0.0.4
   IbmWebsphere Application Server Version7.0.0.5
   IbmWebsphere Application Server Version7.0.0.6
   IbmWebsphere Application Server Version7.0.0.7
   IbmWebsphere Application Server Version7.0.0.8
   IbmWebsphere Application Server Version7.0.0.9
   IbmWebsphere Application Server Version7.0.0.10
   IbmWebsphere Application Server Version7.0.0.11
   IbmWebsphere Application Server Version7.0.0.12
ApacheAxis2 Version1.5
   IbmWebsphere Application Server Version7.0
   IbmWebsphere Application Server Version7.0.0.1
   IbmWebsphere Application Server Version7.0.0.2
   IbmWebsphere Application Server Version7.0.0.3
   IbmWebsphere Application Server Version7.0.0.4
   IbmWebsphere Application Server Version7.0.0.5
   IbmWebsphere Application Server Version7.0.0.6
   IbmWebsphere Application Server Version7.0.0.7
   IbmWebsphere Application Server Version7.0.0.8
   IbmWebsphere Application Server Version7.0.0.9
   IbmWebsphere Application Server Version7.0.0.10
   IbmWebsphere Application Server Version7.0.0.11
   IbmWebsphere Application Server Version7.0.0.12
ApacheAxis2 Version <= 1.5.1
   ApacheGeronimo
ApacheAxis2 Version1.3
   ApacheGeronimo
ApacheAxis2 Version1.4
   ApacheGeronimo
ApacheAxis2 Version1.4.1
   ApacheGeronimo
ApacheAxis2 Version1.5
   ApacheGeronimo
ApacheAxis2 Version <= 1.5.1
ApacheAxis2 Version1.4.1
ApacheAxis2 Version <= 1.5.1
   ApacheSynapse
ApacheAxis2 Version1.3
   ApacheSynapse
ApacheAxis2 Version1.4
   ApacheSynapse
ApacheAxis2 Version1.4.1
   ApacheSynapse
ApacheAxis2 Version1.5
   ApacheSynapse
ApacheAxis2 Version <= 1.5.1
   ApacheTuscany
ApacheAxis2 Version1.3
   ApacheTuscany
ApacheAxis2 Version1.4
   ApacheTuscany
ApacheAxis2 Version1.4.1
   ApacheTuscany
ApacheAxis2 Version1.5
   ApacheTuscany
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 22.37% 0.974
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
http://geronimo.apache.org/21x-security-report.html
http://geronimo.apache.org/22x-security-report.html
http://secunia.com/advisories/41016
http://secunia.com/advisories/41025
http://markmail.org/message/e4yiij7lfexastvl
http://secunia.com/advisories/40252
Vendor Advisory
http://secunia.com/advisories/40279
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14765
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14844
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14847
http://www.securitytracker.com/id/1036901
http://www.vupen.com/english/advisories/2010/1528
Vendor Advisory
http://www.vupen.com/english/advisories/2010/1531
Vendor Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289984
https://issues.apache.org/jira/browse/AXIS2-4450
https://issues.apache.org/jira/browse/GERONIMO-5383
https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf