VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-zgre-mq7s-ebch

Essentials
Severities (33)
References (10)
Severity details (19)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-zgre-mq7s-ebch
Aliases	CVE-2023-40743 GHSA-rmqp-9w4c-gc7w
Summary	Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-20	Improper Input Validation
CWE-75	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00959	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.00959	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.00959	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.00959	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.00959	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.00959	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
epss	0.01164	https://api.first.org/data/v1/epss?cve=CVE-2023-40743
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-rmqp-9w4c-gc7w
cvssv3.1	9.8	https://github.com/apache/axis-axis1-java
cvssv4	9.3	https://github.com/apache/axis-axis1-java
generic_textual	CRITICAL	https://github.com/apache/axis-axis1-java
cvssv3.1	9.8	https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
cvssv4	9.3	https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
generic_textual	CRITICAL	https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
ssvc	Track	https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
cvssv3.1	9.8	https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
cvssv4	9.3	https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
generic_textual	CRITICAL	https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
ssvc	Track	https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
cvssv3.1	9.8	https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
cvssv4	9.3	https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
generic_textual	CRITICAL	https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
cvssv3.1	9.8	https://nvd.nist.gov/vuln/detail/CVE-2023-40743
cvssv4	9.3	https://nvd.nist.gov/vuln/detail/CVE-2023-40743
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2023-40743

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-40743
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40743
		https://github.com/apache/axis-axis1-java
		https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
		https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82
		https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html
1051288		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051288
CVE-2023-40743		https://nvd.nist.gov/vuln/detail/CVE-2023-40743
GHSA-rmqp-9w4c-gc7w		https://github.com/advisories/GHSA-rmqp-9w4c-gc7w
USN-6470-1		https://usn.ubuntu.com/6470-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/axis-axis1-java

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/apache/axis-axis1-java

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-07-18T15:52:10Z/ Found at https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-07-18T15:52:10Z/ Found at https://lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-07-18T15:52:10Z/ Found at https://lists.debian.org/debian-lts-announce/2023/10/msg00025.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-40743

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-40743

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.76499
EPSS Score	0.00959
Published At	April 16, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:51:45.293599+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/axis/axis/CVE-2023-40743.yml	38.0.0