CVE-2010-1632

Apache Axis2 < 1.5.2 - XML External Entity Injection via SOAP DTD Processing

Title source: llm
STIX 2.1

Description

Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

References (19)

Core 19
Core References
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14847
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/AXIS2-4450
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/GERONIMO-5383
Various Sources x_refsource_misc
http://markmail.org/message/e4yiij7lfexastvl
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14844
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1528
Various Sources vendor-advisory x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14765
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1531
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41025
Various Sources x_refsource_confirm
http://geronimo.apache.org/22x-security-report.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036901
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41016
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40279
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40252
Various Sources x_refsource_confirm
http://geronimo.apache.org/21x-security-report.html

Scores

EPSS 0.2237
EPSS Percentile 97.4%

Details

CWE
CWE-20
Status published
Products (6)
apache/axis2 1.3
apache/axis2 1.4
apache/axis2 1.4.1
apache/axis2 1.5
apache/axis2 < 1.5.1
org.apache.axis2.wso2/axis2 0 - 1.5.2Maven
Published Jun 22, 2010
Tracked Since Feb 18, 2026