Description

This Axis enabled web application has enabled listing of the Web Service Deployment Descriptor (WSDD). This feature exposes the current system configuration which contains sensitive information like the adminservice password.

It's recommended to modify the configuration file WEB-INF/server-config.wsdd to disable configuration listing .

Remediation

In the example below, the web application disable listing of the Web Service Deployment Descriptor (WSDD): 

<globalConfiguration>
 <parameter name="axis.enableListQuery" value="false"/>
</globalConfiguration>

References

Global Axis Configuration

Related Vulnerabilities

Apache Kafka Unauthorized Access Vulnerability

Apache Tomcat version older than 7.0.32

Jenkins Git Plugin missing permission check (CVE-2022-36883)

SSL Certificate Is About To Expire

Web2py weak secret key

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration