Advisory Database
  • Advisories
  • Dependency Scanning
  1. maven
  2. ›
  3. soap/soap
  4. ›
  5. CVE-2022-45378

CVE-2022-45378: Improper Authentication

November 14, 2022 (updated November 18, 2022)

** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

  • www.openwall.com/lists/oss-security/2022/11/14/4
  • github.com/advisories/GHSA-789v-h9hw-38pg
  • lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
  • nvd.nist.gov/vuln/detail/CVE-2022-45378

Code Behaviors & Features

Detect and mitigate CVE-2022-45378 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions

Solution

Unfortunately, there is no solution available yet.

Impact 9.8 CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-287: Improper Authentication
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Source file

maven/soap/soap/CVE-2022-45378.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 14 May 2025 12:14:43 +0000.