Server-Side Request Forgery (SSRF)

Affecting axis package, versions debian:10: * || debian:8: * || debian:9: * || debian:unstable: * || ubuntu:14.04: * || ubuntu:16.04: * || ubuntu:18.04: * || ubuntu:18.10: *

Do your applications use this vulnerable package? Test your applications

Overview

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE
CVE-2019-0227
CWE
CWE-918
Snyk ID
SNYK-LINUX-AXIS-443291
Disclosed
01 May, 2019
Published
13 Apr, 2019