CVE-2019-0227

HIGH

Apache Axis < 7.3.5 - SSRF

Title source: rule

Description

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

Exploits (2)

exploitdb WORKING POC

by David Yesland · pythonremotemultiple

https://www.exploit-db.com/exploits/46682

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by ianxtianxt · poc

https://github.com/ianxtianxt/cve-2019-0227

View Code ZIP pw:eip

References (13)

[Exploit, Third Party Advisory] https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuApr2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2020.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2021.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2020.html

[Vendor Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Patch, Third Party Advisory] https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240621-0006/

[Mailing List] https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.8988

EPSS Percentile 99.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-918

Status published

Products (50)

apache/axis 1.4

axis/axis 0Maven

oracle/agile_engineering_data_management 6.2.1.0

oracle/agile_product_lifecycle_management 9.3.3

oracle/application_testing_suite 13.2.0.1

oracle/application_testing_suite 13.3.0.1

oracle/big_data_discovery 1.6

oracle/communications_asap_cartridges 7.2

oracle/communications_asap_cartridges 7.3

oracle/communications_design_studio 7.3.4.3.0

... and 40 more

Published May 01, 2019

Tracked Since Feb 18, 2026