QwikSec

Security Database

CVE

CWE

Training

CVE-2022-45378

Published: Nov 14, 2022

Modified: Aug 3, 2024

PUBLISHED

Description

In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Vendor	Product	Versions
Apache Software Foundation	Apache SOAP	affected `Apache SOAP 2.3` unknown `Apache SOAP - < 2.3`

Weaknesses (CWE)

References

https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31

[oss-security] 20221114 CVE-2022-45378: Apache SOAP allows unauthenticated users to potentially invoke arbitrary code

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.