Description

Apache Axis2 contains a flaw that may allow a remote attacker to access arbitrary files. A remote attacker could send a specially-crafted URL request using the xsd parameter to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information or execute arbitrary code on the vulnerable Web server.

Remediation

Upgrade to the latest version of Apache Axis2. This issue was fixed in Apache Axis2 version 1.4.1.

References

Apache Axis2 local file inclusion

Local File Inclusion Vulnerability on parsing WSDL related XSD Files

Related Vulnerabilities

WordPress Plugin cloudsafe365_for_WP 'file' Parameter Remote File Disclosure (1.46)

WordPress Plugin CP Image Store with Slideshow Arbitrary File Download (1.0.5)

WordPress Plugin SlideDeck 2 Lite Responsive Content Slider Local/Remote File Inclusion (2.3.3)

Possible username or password disclosure

Spring Boot Actuator v2

Severity

High

Classification

CWE-22 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

File Inclusion Information Disclosure