[Forgot Password]
Login  Register Subscribe

24128

 
 

131615

 
 

112965

 
 

909

 
 

87888

 
 

136

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2010-1632Date: (C)2010-06-22   (M)2018-02-19


Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 7.5
Exploit Score: 10.0
Impact Score: 6.4
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: PARTIAL
Availability: PARTIAL
  
Reference:
SECTRACK-1036901
SECUNIA-40252
SECUNIA-40279
SECUNIA-41016
SECUNIA-41025
ADV-2010-1528
ADV-2010-1531
http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
http://geronimo.apache.org/21x-security-report.html
http://geronimo.apache.org/22x-security-report.html
http://markmail.org/message/e4yiij7lfexastvl
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289984
https://issues.apache.org/jira/browse/AXIS2-4450
https://issues.apache.org/jira/browse/GERONIMO-5383
https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf

CPE    5
cpe:/a:apache:axis2:1.3
cpe:/a:apache:axis2:1.4
cpe:/a:apache:axis2:1.5
cpe:/a:apache:axis2:1.4.1
...
CWE    1
CWE-20

© SecPod Technologies