Search for packages
| purl | pkg:deb/debian/axis@1.4-12%2Bdeb6u1 |
| Next non-vulnerable version | 1.4-28+deb11u1 |
| Latest non-vulnerable version | 1.4-28+deb11u1 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-hj44-args-tfa4
Aliases: CVE-2012-5784 GHSA-55w9-c3g2-4rrh |
Man-in-the-middle attack in Apache Axis Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
Affected by 3 other vulnerabilities. |
|
VCID-jdjt-ey4h-z3az
Aliases: CVE-2018-8032 GHSA-96jq-75wh-2658 |
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. |
Affected by 1 other vulnerability. |
|
VCID-xydr-nxmx-wffp
Aliases: CVE-2014-3596 GHSA-r53v-vm87-f72c |
Improper Validation of Certificate with Host Mismatch The `getCN` function in Apache Axis does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the `CN` field. |
Affected by 2 other vulnerabilities. |
|
VCID-zgre-mq7s-ebch
Aliases: CVE-2023-40743 GHSA-rmqp-9w4c-gc7w |
Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. As Axis 1 has been EOL we recommend you migrate to a different SOAP engine, such as Apache Axis 2/Java. As a workaround, you may review your code to verify no untrusted or unsanitized input is passed to "ServiceFactory.getService", or by applying the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The Apache Axis project does not expect to create an Axis 1.x release fixing this problem, though contributors that would like to work towards this are welcome. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||