Apache Axis2 < 1.5 'xsd' Parameter Directory Traversal

medium Nessus Network Monitor Plugin ID 5554

Synopsis

The remote web server hosts a web application that is vulnerable to a directory traversal attack.

Description

The remote web server is hosting Axis2, a web services engine.

Versions of Axis2 earlier than 1.5 are potentially affected by a directory traversal vulnerability in the 'xsd' parameter in activated services. An attacker, exploiting this flaw, can read arbitrary files on the affected host.

Solution

Upgrade to Apache Axis2 1.5 or later.

See Also

https://issues.apache.org/jira/browse/AXIS2-4279

Plugin Details

Severity: Medium

ID: 5554

Family: CGI

Published: 5/26/2010

Updated: 3/6/2019

Nessus ID: 46741

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:apache:axis2:-

Patch Publication Date: 6/9/2009

Vulnerability Publication Date: 3/20/2009

Reference Information

BID: 40343