Bug#1060169: axis: CVE-2023-51441
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 6 19:57:12 GMT 2024
Source: axis
Version: 1.4-29
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.4-28
Control: found -1 1.4-28+deb12u1
Hi,
The following vulnerability was published for axis.
CVE-2023-51441[0]:
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation
| vulnerability in Apache Axis allowed users with access to the admin
| service to perform possible SSRF This issue affects Apache Axis:
| through 1.3. As Axis 1 has been EOL we recommend you migrate to a
| different SOAP engine, such as Apache Axis 2/Java. Alternatively you
| could use a build of Axis with the patch from
| https://github.com/apache/axis-
| axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06 applied.
| The Apache Axis project does not expect to create an Axis 1.x
| release fixing this problem, though contributors that would like to
| work towards this are welcome.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-51441
https://www.cve.org/CVERecord?id=CVE-2023-51441
[1] https://www.openwall.com/lists/oss-security/2024/01/05/2
[2] https://github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list