CVE-2010-1632
Apache Axis2 < 1.5.2 - XML External Entity Injection via SOAP DTD Processing
Title source: llmDescription
Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.
References (19)
Core 19
Core References
Various Sources vendor-advisory
x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14847
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/AXIS2-4450
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/GERONIMO-5383
Various Sources x_refsource_misc
http://markmail.org/message/e4yiij7lfexastvl
Various Sources x_refsource_confirm
http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
Various Sources vendor-advisory
x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14844
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1528
Various Sources vendor-advisory
x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PM14765
Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1531
Various Sources x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
Vendor Advisory x_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289984
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/41025
Various Sources x_refsource_confirm
http://geronimo.apache.org/22x-security-report.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036901
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/41016
Patch x_refsource_confirm
https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/40279
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/40252
Various Sources x_refsource_confirm
http://geronimo.apache.org/21x-security-report.html
Scores
EPSS
0.2237
EPSS Percentile
97.4%
Details
CWE
CWE-20
Status
published
Products (6)
apache/axis2
1.3
apache/axis2
1.4
apache/axis2
1.4.1
apache/axis2
1.5
apache/axis2
< 1.5.1
org.apache.axis2.wso2/axis2
0 - 1.5.2Maven
Published
Jun 22, 2010
Tracked Since
Feb 18, 2026