SCA: security update for org.apache.axis2.wso2:axis2 (GHSA-23vv-v25h-qwqw)

critical Tenable Self-Hosted Container Security Plugin ID 408645

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM
Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache
Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in
SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet
servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by
an entity declaration in a request to the Synapse SimpleStockQuoteService. (CVE-2010-1632)

See Also

https://github.com/advisories/GHSA-23vv-v25h-qwqw

Plugin Details

Severity: Critical

ID: 408645

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2010-1632

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/17/2022

Vulnerability Publication Date: 6/13/2010

Exploitable With

CANVAS (D2ExploitPack)

Elliot (Apache Axis2 File Disclosure)

Reference Information

CVE: CVE-2010-1632

BID: 40976

cwe: CWE-20