CVE-2022-45378

CRITICAL 9.8

Apache SOAP allows unauthenticated users to potentially invoke arbitrary code

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE	CWE-306
Vendor	apache software foundation
Product	apache soap
Published	Nov 14, 2022
Last Updated	Aug 3, 2024

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache soap

Be the first to know when new critical vulnerabilities affecting apache software foundation apache soap are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache SOAP

Apache SOAP 2.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31 openwall.com: http://www.openwall.com/lists/oss-security/2022/11/14/4

Credits

Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue