Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-45378 (GCVE-0-2022-45378)
Vulnerability from cvelistv5 – Published: 2022-11-14 00:00 – Updated: 2024-08-03 14:09 Unsupported When Assigned
VLAI?
EPSS
Title
Apache SOAP allows unauthenticated users to potentially invoke arbitrary code
Summary
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity ?
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache SOAP |
Affected:
Apache SOAP 2.3
Unknown: Apache SOAP , < 2.3 (custom) |
Credits
Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:soap:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "soap",
"vendor": "apache",
"versions": [
{
"lessThan": "2.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45378",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T03:55:24.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:56.954Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31"
},
{
"name": "[oss-security] 20221114 CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache SOAP",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "Apache SOAP 2.3"
},
{
"lessThan": "2.3",
"status": "unknown",
"version": "Apache SOAP",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue"
}
],
"descriptions": [
{
"lang": "en",
"value": "In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T12:55:38.995Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31"
},
{
"name": "[oss-security] 20221114 CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code",
"tags": [
"mailing-list"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/4"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"unsupported-when-assigned"
],
"title": "Apache SOAP allows unauthenticated users to potentially invoke arbitrary code",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45378",
"datePublished": "2022-11-14T00:00:00.000Z",
"dateReserved": "2022-11-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T14:09:56.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:soap:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.3\", \"matchCriteriaId\": \"0429414A-57AB-4A24-849A-A2999E860254\"}]}]}]",
"cveTags": "[{\"sourceIdentifier\": \"security@apache.org\", \"tags\": [\"unsupported-when-assigned\"]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\"}, {\"lang\": \"es\", \"value\": \"** NO COMPATIBLE CUANDO EST\\u00c1 ASIGNADO ** En la configuraci\\u00f3n predeterminada de Apache SOAP, un RPCRouterServlet est\\u00e1 disponible sin autenticaci\\u00f3n. Esto le da al atacante la posibilidad de invocar m\\u00e9todos en el classpath que cumplan ciertos criterios. Dependiendo de las clases que est\\u00e9n disponibles en el classpath, esto podr\\u00eda incluso conducir a la ejecuci\\u00f3n remota de c\\u00f3digo arbitrario. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el mantenedor.\"}]",
"id": "CVE-2022-45378",
"lastModified": "2024-11-21T07:29:08.787",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}, {\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2022-11-14T14:15:10.200",
"references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/14/4\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/14/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-45378\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-11-14T14:15:10.200\",\"lastModified\":\"2024-11-21T07:29:08.787\",\"vulnStatus\":\"Modified\",\"cveTags\":[{\"sourceIdentifier\":\"security@apache.org\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\"},{\"lang\":\"es\",\"value\":\"** NO COMPATIBLE CUANDO EST\u00c1 ASIGNADO ** En la configuraci\u00f3n predeterminada de Apache SOAP, un RPCRouterServlet est\u00e1 disponible sin autenticaci\u00f3n. Esto le da al atacante la posibilidad de invocar m\u00e9todos en el classpath que cumplan ciertos criterios. Dependiendo de las clases que est\u00e9n disponibles en el classpath, esto podr\u00eda incluso conducir a la ejecuci\u00f3n remota de c\u00f3digo arbitrario. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el mantenedor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:soap:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.3\",\"matchCriteriaId\":\"0429414A-57AB-4A24-849A-A2999E860254\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/14/4\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/11/14/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/14/4\", \"name\": \"[oss-security] 20221114 CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code\", \"tags\": [\"mailing-list\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T14:09:56.954Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-45378\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-30T04:00:31.335804Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:apache:soap:-:*:*:*:*:*:*:*\"], \"vendor\": \"apache\", \"product\": \"soap\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-30T13:43:51.653Z\"}}], \"cna\": {\"tags\": [\"unsupported-when-assigned\"], \"title\": \"Apache SOAP allows unauthenticated users to potentially invoke arbitrary code\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"value\": \"Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue\"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"other\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache SOAP\", \"versions\": [{\"status\": \"affected\", \"version\": \"Apache SOAP 2.3\"}, {\"status\": \"unknown\", \"version\": \"Apache SOAP\", \"lessThan\": \"2.3\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/11/14/4\", \"name\": \"[oss-security] 20221114 CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code\", \"tags\": [\"mailing-list\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306 Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-06-27T12:55:38.995Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-45378\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-03T14:09:56.954Z\", \"dateReserved\": \"2022-11-14T00:00:00.000Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2022-11-14T00:00:00.000Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GSD-2022-45378
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
** UNSUPPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-45378",
"description": "** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GSD-2022-45378"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-45378"
],
"details": "** UNSUPPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GSD-2022-45378",
"modified": "2023-12-13T01:19:24.565919Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-45378",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache SOAP",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"versions": [
{
"status": "affected",
"version": "Apache SOAP 2.3"
},
{
"lessThan": "2.3",
"status": "unknown",
"version": "Apache SOAP",
"versionType": "custom"
}
]
}
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credits": [
{
"lang": "en",
"value": " Apache would like to thank TsungShu Chiu (CHT Security) for reporting this issue"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** UNSUPPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-306",
"lang": "eng",
"value": "CWE-306 Missing Authentication for Critical Function"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31"
},
{
"name": "http://www.openwall.com/lists/oss-security/2022/11/14/4",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/4"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[0,)",
"affected_versions": "All versions",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-287",
"CWE-78",
"CWE-937"
],
"date": "2022-11-18",
"description": "** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"fixed_versions": [],
"identifier": "CVE-2022-45378",
"identifiers": [
"GHSA-789v-h9hw-38pg",
"CVE-2022-45378"
],
"not_impacted": "",
"package_slug": "maven/soap/soap",
"pubdate": "2022-11-14",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Improper Authentication",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-45378",
"https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31",
"http://www.openwall.com/lists/oss-security/2022/11/14/4",
"https://github.com/advisories/GHSA-789v-h9hw-38pg"
],
"uuid": "1c6f950b-9e9c-466a-bcc4-a5f58dca9633"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:soap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0429414A-57AB-4A24-849A-A2999E860254",
"versionEndIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "es",
"value": "** NO COMPATIBLE CUANDO EST\u00c1 ASIGNADO ** En la configuraci\u00f3n predeterminada de Apache SOAP, un RPCRouterServlet est\u00e1 disponible sin autenticaci\u00f3n. Esto le da al atacante la posibilidad de invocar m\u00e9todos en el classpath que cumplan ciertos criterios. Dependiendo de las clases que est\u00e9n disponibles en el classpath, esto podr\u00eda incluso conducir a la ejecuci\u00f3n remota de c\u00f3digo arbitrario. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el mantenedor."
}
],
"id": "CVE-2022-45378",
"lastModified": "2024-04-11T01:17:06.013",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-14T14:15:10.200",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "security@apache.org",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
}
}
}
WID-SEC-W-2024-0899
Vulnerability from csaf_certbund - Published: 2024-04-16 22:00 - Updated: 2025-06-09 22:00Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
References
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0899 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0899.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0899 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0899"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Fusion Middleware vom 2024-04-16",
"url": "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixFMW"
},
{
"category": "external",
"summary": "PoC CVE-2024-21006 vom 2025-06-09",
"url": "https://github.com/d3fudd/CVE-2024-21006_POC"
}
],
"source_lang": "en-US",
"title": "Oracle Fusion Middleware: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-06-09T22:00:00.000+00:00",
"generator": {
"date": "2025-06-10T06:12:15.168+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2024-0899",
"initial_release_date": "2024-04-16T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-04-16T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2025-06-09T22:00:00.000+00:00",
"number": "2",
"summary": "PoC f\u00fcr CVE-2024-21006 aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "12.2.1.3.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.3.0",
"product_id": "618028",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0"
}
}
},
{
"category": "product_version",
"name": "12.2.1.4.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product_id": "751674",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0"
}
}
},
{
"category": "product_version",
"name": "14.1.1.0.0",
"product": {
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product_id": "829576",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0"
}
}
},
{
"category": "product_version",
"name": "8.5.6",
"product": {
"name": "Oracle Fusion Middleware 8.5.6",
"product_id": "T024993",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:8.5.6"
}
}
},
{
"category": "product_version",
"name": "8.5.7",
"product": {
"name": "Oracle Fusion Middleware 8.5.7",
"product_id": "T034057",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:8.5.7"
}
}
}
],
"category": "product_name",
"name": "Fusion Middleware"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-0231",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2019-0231"
},
{
"cve": "CVE-2019-10172",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2019-10172"
},
{
"cve": "CVE-2019-13990",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2019-13990"
},
{
"cve": "CVE-2021-23369",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2021-23369"
},
{
"cve": "CVE-2022-1471",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-1471"
},
{
"cve": "CVE-2022-24329",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-24329"
},
{
"cve": "CVE-2022-25147",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-25147"
},
{
"cve": "CVE-2022-34169",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-34169"
},
{
"cve": "CVE-2022-34381",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-34381"
},
{
"cve": "CVE-2022-42003",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-42003"
},
{
"cve": "CVE-2022-45378",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-45378"
},
{
"cve": "CVE-2022-46337",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-46337"
},
{
"cve": "CVE-2022-48579",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2022-48579"
},
{
"cve": "CVE-2023-24021",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-24021"
},
{
"cve": "CVE-2023-2976",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-2976"
},
{
"cve": "CVE-2023-31122",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-31122"
},
{
"cve": "CVE-2023-33201",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-33201"
},
{
"cve": "CVE-2023-35116",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-35116"
},
{
"cve": "CVE-2023-35887",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-35887"
},
{
"cve": "CVE-2023-3635",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-3635"
},
{
"cve": "CVE-2023-37536",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-37536"
},
{
"cve": "CVE-2023-44487",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-44487"
},
{
"cve": "CVE-2023-46218",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-46218"
},
{
"cve": "CVE-2023-46589",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-46589"
},
{
"cve": "CVE-2023-48795",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-48795"
},
{
"cve": "CVE-2023-5072",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-52428",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2023-52428"
},
{
"cve": "CVE-2024-1597",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-1597"
},
{
"cve": "CVE-2024-20991",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-20991"
},
{
"cve": "CVE-2024-20992",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-20992"
},
{
"cve": "CVE-2024-21006",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-21006"
},
{
"cve": "CVE-2024-21007",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-21007"
},
{
"cve": "CVE-2024-21117",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-21117"
},
{
"cve": "CVE-2024-21118",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-21118"
},
{
"cve": "CVE-2024-21119",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-21119"
},
{
"cve": "CVE-2024-21120",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-21120"
},
{
"cve": "CVE-2024-23635",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-23635"
},
{
"cve": "CVE-2024-26308",
"product_status": {
"known_affected": [
"T024993",
"618028",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-04-16T22:00:00.000+00:00",
"title": "CVE-2024-26308"
}
]
}
WID-SEC-W-2024-1637
Vulnerability from csaf_certbund - Published: 2024-07-16 22:00 - Updated: 2025-03-05 23:00Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff: Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme: - Sonstiges
- UNIX
- Windows
References
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-1637 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1637.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-1637 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1637"
},
{
"category": "external",
"summary": "Oracle Critical Patch Update Advisory - July 2024 - Appendix Oracle Fusion Middleware vom 2024-07-16",
"url": "https://www.oracle.com/security-alerts/cpujul2024.html#AppendixFMW"
},
{
"category": "external",
"summary": "PoC CVE-2024-21182 vom 2024-12-30",
"url": "https://github.com/k4it0k1d/CVE-2024-21182"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7184867 vom 2025-03-05",
"url": "https://www.ibm.com/support/pages/node/7184867"
}
],
"source_lang": "en-US",
"title": "Oracle Fusion Middleware: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-03-05T23:00:00.000+00:00",
"generator": {
"date": "2025-03-06T09:18:07.394+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2024-1637",
"initial_release_date": "2024-07-16T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-07-16T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-12-30T23:00:00.000+00:00",
"number": "2",
"summary": "PoC f\u00fcr CVE-2024-21182 erg\u00e4nzt"
},
{
"date": "2025-03-05T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von IBM und IBM-APAR aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "5.5.8",
"product": {
"name": "IBM FileNet Content Manager 5.5.8",
"product_id": "1487483",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:filenet_content_manager:5.5.8"
}
}
},
{
"category": "product_version",
"name": "5.5.12",
"product": {
"name": "IBM FileNet Content Manager 5.5.12",
"product_id": "T039291",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:filenet_content_manager:5.5.12"
}
}
},
{
"category": "product_version",
"name": "5.6.0",
"product": {
"name": "IBM FileNet Content Manager 5.6.0",
"product_id": "T039292",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:filenet_content_manager:5.6.0"
}
}
}
],
"category": "product_name",
"name": "FileNet Content Manager"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "12.2.1.4.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.4.0",
"product_id": "751674",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0"
}
}
},
{
"category": "product_version",
"name": "14.1.1.0.0",
"product": {
"name": "Oracle Fusion Middleware 14.1.1.0.0",
"product_id": "829576",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0"
}
}
},
{
"category": "product_version",
"name": "8.5.7",
"product": {
"name": "Oracle Fusion Middleware 8.5.7",
"product_id": "T034057",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:8.5.7"
}
}
},
{
"category": "product_version",
"name": "12.2.1.19.0",
"product": {
"name": "Oracle Fusion Middleware 12.2.1.19.0",
"product_id": "T036225",
"product_identification_helper": {
"cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.19.0"
}
}
}
],
"category": "product_name",
"name": "Fusion Middleware"
}
],
"category": "vendor",
"name": "Oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-13956",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2020-13956"
},
{
"cve": "CVE-2020-1945",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2020-1945"
},
{
"cve": "CVE-2021-29425",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2021-29425"
},
{
"cve": "CVE-2021-37533",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2021-37533"
},
{
"cve": "CVE-2022-40152",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2022-40152"
},
{
"cve": "CVE-2022-45378",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2022-45378"
},
{
"cve": "CVE-2023-24998",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-29081",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-29081"
},
{
"cve": "CVE-2023-2976",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-2976"
},
{
"cve": "CVE-2023-34034",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-34034"
},
{
"cve": "CVE-2023-36478",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-36478"
},
{
"cve": "CVE-2023-45853",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-45853"
},
{
"cve": "CVE-2023-46750",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-46750"
},
{
"cve": "CVE-2023-4759",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-4759"
},
{
"cve": "CVE-2023-48795",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-48795"
},
{
"cve": "CVE-2023-5072",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-52425",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-52425"
},
{
"cve": "CVE-2023-6129",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2023-6129"
},
{
"cve": "CVE-2024-0853",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-0853"
},
{
"cve": "CVE-2024-21133",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-21133"
},
{
"cve": "CVE-2024-21175",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-21175"
},
{
"cve": "CVE-2024-21181",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-21181"
},
{
"cve": "CVE-2024-21182",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-21182"
},
{
"cve": "CVE-2024-21183",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-21183"
},
{
"cve": "CVE-2024-22201",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-22201"
},
{
"cve": "CVE-2024-22243",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-22243"
},
{
"cve": "CVE-2024-22259",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-22259"
},
{
"cve": "CVE-2024-22262",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-22262"
},
{
"cve": "CVE-2024-25062",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-25062"
},
{
"cve": "CVE-2024-26308",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-26308"
},
{
"cve": "CVE-2024-29025",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-29025"
},
{
"cve": "CVE-2024-29857",
"product_status": {
"known_affected": [
"1487483",
"T039292",
"T039291",
"T036225",
"751674",
"T034057",
"829576"
]
},
"release_date": "2024-07-16T22:00:00.000+00:00",
"title": "CVE-2024-29857"
}
]
}
CNVD-2022-78864
Vulnerability from cnvd - Published: 2022-11-21
VLAI Severity ?
Title
Apache SOAP身份验证错误漏洞
Description
Apache SOAP是美国阿帕奇(Apache)基金会的用作客户端库来调用其他地方可用的 SOAP服务,也可以用作服务器端工具来实现SOAP可访问服务。
Apache SOAP存在身份验证错误漏洞,该漏洞源于RPCRouterServlet无需身份验证即可使用,攻击者可利用该漏洞有可能在满足特定条件的类路径上调用方法,根据类路径上可用的类可能导致任意远程代码执行。
Severity
高
Patch Name
Apache SOAP身份验证错误漏洞的补丁
Patch Description
Apache SOAP是美国阿帕奇(Apache)基金会的用作客户端库来调用其他地方可用的 SOAP服务,也可以用作服务器端工具来实现SOAP可访问服务。
Apache SOAP存在身份验证错误漏洞,该漏洞源于RPCRouterServlet无需身份验证即可使用,攻击者可利用该漏洞有可能在满足特定条件的类路径上调用方法,根据类路径上可用的类可能导致任意远程代码执行。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-45378
Impacted products
| Name | Apache SOAP <=2.3 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2022-45378",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-45378"
}
},
"description": "Apache SOAP\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u7528\u4f5c\u5ba2\u6237\u7aef\u5e93\u6765\u8c03\u7528\u5176\u4ed6\u5730\u65b9\u53ef\u7528\u7684 SOAP\u670d\u52a1\uff0c\u4e5f\u53ef\u4ee5\u7528\u4f5c\u670d\u52a1\u5668\u7aef\u5de5\u5177\u6765\u5b9e\u73b0SOAP\u53ef\u8bbf\u95ee\u670d\u52a1\u3002\n\nApache SOAP\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eRPCRouterServlet\u65e0\u9700\u8eab\u4efd\u9a8c\u8bc1\u5373\u53ef\u4f7f\u7528\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6709\u53ef\u80fd\u5728\u6ee1\u8db3\u7279\u5b9a\u6761\u4ef6\u7684\u7c7b\u8def\u5f84\u4e0a\u8c03\u7528\u65b9\u6cd5\uff0c\u6839\u636e\u7c7b\u8def\u5f84\u4e0a\u53ef\u7528\u7684\u7c7b\u53ef\u80fd\u5bfc\u81f4\u4efb\u610f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2022-78864",
"openTime": "2022-11-21",
"patchDescription": "Apache SOAP\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u7528\u4f5c\u5ba2\u6237\u7aef\u5e93\u6765\u8c03\u7528\u5176\u4ed6\u5730\u65b9\u53ef\u7528\u7684 SOAP\u670d\u52a1\uff0c\u4e5f\u53ef\u4ee5\u7528\u4f5c\u670d\u52a1\u5668\u7aef\u5de5\u5177\u6765\u5b9e\u73b0SOAP\u53ef\u8bbf\u95ee\u670d\u52a1\u3002\r\n\r\nApache SOAP\u5b58\u5728\u8eab\u4efd\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eRPCRouterServlet\u65e0\u9700\u8eab\u4efd\u9a8c\u8bc1\u5373\u53ef\u4f7f\u7528\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6709\u53ef\u80fd\u5728\u6ee1\u8db3\u7279\u5b9a\u6761\u4ef6\u7684\u7c7b\u8def\u5f84\u4e0a\u8c03\u7528\u65b9\u6cd5\uff0c\u6839\u636e\u7c7b\u8def\u5f84\u4e0a\u53ef\u7528\u7684\u7c7b\u53ef\u80fd\u5bfc\u81f4\u4efb\u610f\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache SOAP\u8eab\u4efd\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Apache SOAP \u003c=2.3"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2022-45378",
"serverity": "\u9ad8",
"submitTime": "2022-11-17",
"title": "Apache SOAP\u8eab\u4efd\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}
GHSA-789V-H9HW-38PG
Vulnerability from github – Published: 2022-11-14 19:00 – Updated: 2022-11-18 16:11
VLAI?
Summary
Apache SOAP contains unauthenticated RPCRouterServlet
Details
** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Severity ?
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "soap:soap"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45378"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-306",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-18T16:11:22Z",
"nvd_published_at": "2022-11-14T14:15:00Z",
"severity": "CRITICAL"
},
"details": "** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-789v-h9hw-38pg",
"modified": "2022-11-18T16:11:22Z",
"published": "2022-11-14T19:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45378"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache SOAP contains unauthenticated RPCRouterServlet"
}
NCSC-2024-0298
Vulnerability from csaf_ncscnl - Published: 2024-07-17 13:54 - Updated: 2024-07-17 13:54Summary
Kwetsbaarheden verholpen in Oracle Fusion Middleware
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Er zijn kwetsbaarheden verholpen in Oracle Fusion Middleware.
Interpretaties: Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
* Denial-of-Service (DoS)
* Toegang tot gevoelige gegevens
* Toegang tot systeemgegevens
* Manipulatie van gegevens
* (Remote) code execution (Gebruikersrechten)
Oplossingen: Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.
Kans: medium
Schade: high
CWE-122: Heap-based Buffer Overflow
CWE-145: Improper Neutralization of Section Delimiters
CWE-190: Integer Overflow or Wraparound
CWE-20: Improper Input Validation
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-222: Truncation of Security-relevant Information
CWE-284: Improper Access Control
CWE-299: Improper Check for Certificate Revocation
CWE-306: Missing Authentication for Critical Function
CWE-328: Use of Weak Hash
CWE-377: Insecure Temporary File
CWE-400: Uncontrolled Resource Consumption
CWE-404: Improper Resource Shutdown or Release
CWE-416: Use After Free
CWE-552: Files or Directories Accessible to External Parties
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-787: Out-of-bounds Write
CWE-918: Server-Side Request Forgery (SSRF)
CWE-377
- Insecure Temporary File
5.3 (Medium)
CWE-22
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
7.5 (High)
7.5 (High)
9.8 (Critical)
7.1 (High)
7.5 (High)
6.5 (Medium)
CWE-404
- Improper Resource Shutdown or Release
CWE-404
- Improper Resource Shutdown or Release
9.8 (Critical)
7.5 (High)
9.8 (Critical)
6.4 (Medium)
5.9 (Medium)
7.5 (High)
9.8 (Critical)
9.8 (Critical)
7.5 (High)
8.1 (High)
8.1 (High)
8.1 (High)
7.5 (High)
5.9 (Medium)
CWE-770
- Allocation of Resources Without Limits or Throttling
7.5 (High)
References
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Er zijn kwetsbaarheden verholpen in Oracle Fusion Middleware.",
"title": "Feiten"
},
{
"category": "description",
"text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorie\u00ebn schade:\n\n* Denial-of-Service (DoS)\n* Toegang tot gevoelige gegevens\n* Toegang tot systeemgegevens\n* Manipulatie van gegevens\n* (Remote) code execution (Gebruikersrechten)",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Heap-based Buffer Overflow",
"title": "CWE-122"
},
{
"category": "general",
"text": "Improper Neutralization of Section Delimiters",
"title": "CWE-145"
},
{
"category": "general",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "general",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
},
{
"category": "general",
"text": "Truncation of Security-relevant Information",
"title": "CWE-222"
},
{
"category": "general",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "general",
"text": "Improper Check for Certificate Revocation",
"title": "CWE-299"
},
{
"category": "general",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
},
{
"category": "general",
"text": "Use of Weak Hash",
"title": "CWE-328"
},
{
"category": "general",
"text": "Insecure Temporary File",
"title": "CWE-377"
},
{
"category": "general",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "general",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "general",
"text": "Use After Free",
"title": "CWE-416"
},
{
"category": "general",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
},
{
"category": "general",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "general",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
},
{
"category": "general",
"text": "Out-of-bounds Write",
"title": "CWE-787"
},
{
"category": "general",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1945"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45378"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29081"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34034"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36478"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46750"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4759"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48795"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5072"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52425"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6129"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0853"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21133"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21175"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21181"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21182"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21183"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22201"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22243"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22259"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22262"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25062"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26308"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857"
},
{
"category": "external",
"summary": "Reference - oracle",
"url": "https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; ibm; nvd; oracle",
"url": "https://www.oracle.com/security-alerts/cpujul2024.html"
}
],
"title": " Kwetsbaarheden verholpen in Oracle Fusion Middleware",
"tracking": {
"current_release_date": "2024-07-17T13:54:00.411174Z",
"id": "NCSC-2024-0298",
"initial_release_date": "2024-07-17T13:54:00.411174Z",
"revision_history": [
{
"date": "2024-07-17T13:54:00.411174Z",
"number": "0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "fusion_middleware_mapviewer",
"product": {
"name": "fusion_middleware_mapviewer",
"product_id": "CSAFPID-226018",
"product_identification_helper": {
"cpe": "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_name",
"name": "fusion_middleware",
"product": {
"name": "fusion_middleware",
"product_id": "CSAFPID-271904",
"product_identification_helper": {
"cpe": "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*"
}
}
}
],
"category": "vendor",
"name": "oracle"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-1945",
"cwe": {
"id": "CWE-377",
"name": "Insecure Temporary File"
},
"notes": [
{
"category": "other",
"text": "Insecure Temporary File",
"title": "CWE-377"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2020-1945",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-1945.json"
}
],
"title": "CVE-2020-1945"
},
{
"cve": "CVE-2020-13956",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2020-13956",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-13956.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2020-13956"
},
{
"cve": "CVE-2021-29425",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"title": "CWE-22"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2021-29425",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-29425.json"
}
],
"title": "CVE-2021-29425"
},
{
"cve": "CVE-2021-37533",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"notes": [
{
"category": "other",
"text": "Exposure of Sensitive Information to an Unauthorized Actor",
"title": "CWE-200"
},
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2021-37533",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-37533.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2021-37533"
},
{
"cve": "CVE-2022-40152",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Write",
"title": "CWE-787"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-40152",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-40152.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2022-40152"
},
{
"cve": "CVE-2022-45378",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"notes": [
{
"category": "other",
"text": "Missing Authentication for Critical Function",
"title": "CWE-306"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2022-45378",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-45378.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2022-45378"
},
{
"cve": "CVE-2023-2976",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"notes": [
{
"category": "other",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904",
"CSAFPID-226018"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-2976",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-2976.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-271904",
"CSAFPID-226018"
]
}
],
"title": "CVE-2023-2976"
},
{
"cve": "CVE-2023-4759",
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-4759",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-4759.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2023-4759"
},
{
"cve": "CVE-2023-5072",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904",
"CSAFPID-226018"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-5072",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-5072.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271904",
"CSAFPID-226018"
]
}
],
"title": "CVE-2023-5072"
},
{
"cve": "CVE-2023-6129",
"cwe": {
"id": "CWE-328",
"name": "Use of Weak Hash"
},
"notes": [
{
"category": "other",
"text": "Use of Weak Hash",
"title": "CWE-328"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-6129",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-6129.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2023-6129"
},
{
"cve": "CVE-2023-24998",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
},
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904",
"CSAFPID-226018"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-24998",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-24998.json"
}
],
"title": "CVE-2023-24998"
},
{
"cve": "CVE-2023-29081",
"cwe": {
"id": "CWE-404",
"name": "Improper Resource Shutdown or Release"
},
"notes": [
{
"category": "other",
"text": "Improper Resource Shutdown or Release",
"title": "CWE-404"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-29081",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-29081.json"
}
],
"title": "CVE-2023-29081"
},
{
"cve": "CVE-2023-34034",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"notes": [
{
"category": "other",
"text": "Improper Access Control",
"title": "CWE-284"
},
{
"category": "other",
"text": "Improper Neutralization of Section Delimiters",
"title": "CWE-145"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-34034",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-34034.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2023-34034"
},
{
"cve": "CVE-2023-36478",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904",
"CSAFPID-226018"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-36478",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-36478.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271904",
"CSAFPID-226018"
]
}
],
"title": "CVE-2023-36478"
},
{
"cve": "CVE-2023-45853",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"notes": [
{
"category": "other",
"text": "Heap-based Buffer Overflow",
"title": "CWE-122"
},
{
"category": "other",
"text": "Integer Overflow or Wraparound",
"title": "CWE-190"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-45853",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-45853.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2023-45853"
},
{
"cve": "CVE-2023-46750",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-46750",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-46750.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2023-46750"
},
{
"cve": "CVE-2023-48795",
"cwe": {
"id": "CWE-222",
"name": "Truncation of Security-relevant Information"
},
"notes": [
{
"category": "other",
"text": "Truncation of Security-relevant Information",
"title": "CWE-222"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904",
"CSAFPID-226018"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-48795",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-48795.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-271904",
"CSAFPID-226018"
]
}
],
"title": "CVE-2023-48795"
},
{
"cve": "CVE-2023-52425",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-52425",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52425.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2023-52425"
},
{
"cve": "CVE-2024-0853",
"cwe": {
"id": "CWE-299",
"name": "Improper Check for Certificate Revocation"
},
"notes": [
{
"category": "other",
"text": "Improper Check for Certificate Revocation",
"title": "CWE-299"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-0853",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-0853.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-0853"
},
{
"cve": "CVE-2024-21133",
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21133",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21133.json"
}
],
"title": "CVE-2024-21133"
},
{
"cve": "CVE-2024-21175",
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21175",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21175.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-21175"
},
{
"cve": "CVE-2024-21181",
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21181",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21181.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-21181"
},
{
"cve": "CVE-2024-21182",
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21182",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21182.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-21182"
},
{
"cve": "CVE-2024-21183",
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21183",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21183.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-21183"
},
{
"cve": "CVE-2024-22201",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-22201",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22201.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-22201"
},
{
"cve": "CVE-2024-22243",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"notes": [
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
},
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-22243",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22243.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-22243"
},
{
"cve": "CVE-2024-22259",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
},
{
"category": "other",
"text": "Server-Side Request Forgery (SSRF)",
"title": "CWE-918"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-22259",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22259.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-22259"
},
{
"cve": "CVE-2024-22262",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"notes": [
{
"category": "other",
"text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"title": "CWE-601"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-22262",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22262.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-22262"
},
{
"cve": "CVE-2024-25062",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"notes": [
{
"category": "other",
"text": "Use After Free",
"title": "CWE-416"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-25062",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-25062.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-25062"
},
{
"cve": "CVE-2024-26308",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"product_status": {
"known_affected": [
"CSAFPID-226018",
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-26308",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-26308.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-226018",
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-26308"
},
{
"cve": "CVE-2024-29025",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"notes": [
{
"category": "other",
"text": "Allocation of Resources Without Limits or Throttling",
"title": "CWE-770"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-29025",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29025.json"
}
],
"title": "CVE-2024-29025"
},
{
"cve": "CVE-2024-29857",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"notes": [
{
"category": "other",
"text": "Uncontrolled Resource Consumption",
"title": "CWE-400"
},
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
}
],
"product_status": {
"known_affected": [
"CSAFPID-271904"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-29857",
"url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29857.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-271904"
]
}
],
"title": "CVE-2024-29857"
}
]
}
FKIE_CVE-2022-45378
Vulnerability from fkie_nvd - Published: 2022-11-14 14:15 - Updated: 2024-11-21 07:29
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2022/11/14/4 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2022/11/14/4 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:soap:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0429414A-57AB-4A24-849A-A2999E860254",
"versionEndIncluding": "2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "security@apache.org",
"tags": [
"unsupported-when-assigned"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
},
{
"lang": "es",
"value": "** NO COMPATIBLE CUANDO EST\u00c1 ASIGNADO ** En la configuraci\u00f3n predeterminada de Apache SOAP, un RPCRouterServlet est\u00e1 disponible sin autenticaci\u00f3n. Esto le da al atacante la posibilidad de invocar m\u00e9todos en el classpath que cumplan ciertos criterios. Dependiendo de las clases que est\u00e9n disponibles en el classpath, esto podr\u00eda incluso conducir a la ejecuci\u00f3n remota de c\u00f3digo arbitrario. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el mantenedor."
}
],
"id": "CVE-2022-45378",
"lastModified": "2024-11-21T07:29:08.787",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-14T14:15:10.200",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/4"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2022/11/14/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…