CVE-2019-0227high
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
References
https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://lists.apache.org/thread.html/[email protected]%3Cjava-user.axis.apache.org%3E
Details
Source: MITRE
Published: 2019-05-01
Updated: 2021-10-20
Type: CWE-918
Risk Information
CVSS v2
Base Score: 5.4
Vector: AV:A/AC:M/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 5.5
Severity: MEDIUM
CVSS v3
Base Score: 7.5
Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 1.6
Severity: HIGH
Vulnerable Software
Configuration 1
OR
Configuration 2
OR
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_product_lifecycle_management_framework:9.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_asap_cartridges:7.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_asap_cartridges:7.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_design_studio:7.3.4.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_design_studio:7.3.5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_design_studio:7.4.0.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_design_studio:7.4.1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_order_and_service_management:7.3.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_order_and_service_management:7.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:12.1.0.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 7.3.3 to 7.3.5 (inclusive)
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.8 (inclusive)
cpe:2.3:a:oracle:financial_services_compliance_regulatory_reporting:*:*:*:*:*:*:*:* versions from 8.0.6 to 8.0.8 (inclusive)
cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:* versions from 8.0.2 to 8.0.7 (inclusive)
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:* versions from 8.6.0 to 8.6.3 (inclusive)
cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_human_resources:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_human_resources:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_human_resources:9.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:16.2.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:17.12.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* versions from 17.7 to 17.12 (inclusive)
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:real-time_decision_server:3.2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:secure_global_desktop:5.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 138564 | Oracle WebCenter Portal Multiple Vulnerabilities (Jul 2020 CPU) | Nessus | Misc. | high |
| 138555 | Oracle Enterprise Manager Cloud Control (Jul 2020 CPU) | Nessus | Misc. | high |
| 135681 | Oracle Application Testing Suite (Apr 2020 CPU) | Nessus | Misc. | high |
| 133359 | Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2020 CPU) | Nessus | CGI abuses | critical |
| 133042 | Oracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU) | Nessus | Misc. | medium |
| 133041 | Oracle Tuxedo Remote Code Execution Vulnerability (Jan 2020 CPU) | Nessus | Misc. | high |
| 132936 | Oracle Primavera Gateway Multiple Vulnerabilities (Jan 2020 CPU) | Nessus | CGI abuses | critical |