CVE-2022-45378: Improper Authentication

November 14, 2022 (updated November 18, 2022)

** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

www.openwall.com/lists/oss-security/2022/11/14/4
github.com/advisories/GHSA-789v-h9hw-38pg
lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
nvd.nist.gov/vuln/detail/CVE-2022-45378

Code Behaviors & Features

Detect and mitigate CVE-2022-45378 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →