Lucene search

GitHub Advisory DatabaseGHSA-88R4-38GC-97P4

HistoryMay 17, 2022 - 5:16 a.m.

Apache Axis2 Vulnerable to XML Signature wrapping attack

2022-05-1705:16:12

CWE-287

GitHub Advisory Database

github.com

apache axis2

xml signature

vulnerability

authentication bypass

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

7.5

Confidence

Low

EPSS

0.004

Percentile

72.3%

JSON

Apache Axis2 allows remote attackers to forge messages and bypass authentication via an “XML Signature wrapping attack.”

Affected configurations

Vulners

Node

org.apache.axis2axis2Range<1.7.9

VendorProductVersionCPE
org.apache.axis2axis2*cpe:2.3:a:org.apache.axis2:axis2:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.axis2	axis2	*	cpe:2.3:a:org.apache.axis2:axis2::::::::

References

www.nds.rub.de/media/nds/veroeffentlichungen/2012/08/22/BreakingSAML_3.pdf

www.openwall.com/lists/oss-security/2012/09/12/1

www.openwall.com/lists/oss-security/2012/09/13/1

bugzilla.redhat.com/show_bug.cgi?id=856755

github.com/advisories/GHSA-88r4-38gc-97p4

issues.apache.org/jira/browse/AXIS2-5930

issues.apache.org/jira/browse/AXIS2C-1694

nvd.nist.gov/vuln/detail/CVE-2012-4418

web.archive.org/web/20121114075457/www.securityfocus.com/bid/55508

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

7.5

Confidence

Low

EPSS

0.004

Percentile

72.3%

JSON

Related for GHSA-88R4-38GC-97P4