Apache Axis2 < 1.5 'xsd' Parameter Directory Traversal

Medium Nessus Network Monitor Plugin ID 5554

Synopsis

The remote web server hosts a web application that is vulnerable to a directory traversal attack.

Description

The remote web server is hosting Axis2, a web services engine.

Versions of Axis2 earlier than 1.5 are potentially affected by a directory traversal vulnerability in the 'xsd' parameter in activated services. An attacker, exploiting this flaw, can read arbitrary files on the affected host.

Solution

Upgrade to Apache Axis2 1.5 or later.

See Also

https://issues.apache.org/jira/browse/AXIS2-4279

Plugin Details

Severity: Medium

ID: 5554

File Name: 5554.prm

Family: CGI

Published: 2010/05/26

Modified: 2016/01/21

Dependencies: 3057

Nessus ID: 46741

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:U/RC:ND

CVSSv3

Base Score: 5.3

Temporal Score: 5.2

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:F/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:apache:axis2:-

Patch Publication Date: 2009/06/09

Vulnerability Publication Date: 2009/03/20

Reference Information

BID: 40343