CVE-2022-45378
CVSS V2 None
CVSS V3 Critical 9.8
Description
** UNSUPPPORTED WHEN ASSIGNED **In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Overview
- CVE ID
- CVE-2022-45378
- Assigner
- security@apache.org
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-14T14:15:10
- Last Modified Date
- 2023-03-01T02:25:50
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:apache:soap:*:*:*:*:*:*:*:* | 1 | OR | 2.3 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- HIGH
- Base Score
- 9.8
- Base Severity
- CRITICAL
- Exploitability Score
- 3.9
- Impact Score
- 5.9
References
| Reference URL | Reference Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2022/11/14/4 | Mailing List Third Party Advisory |
| https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31 | Mailing List Vendor Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-45378 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45378 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-11-14 15:00:09 | Added to TrackCVE | |||
| 2022-12-07 17:41:22 | 2022-11-14T14:15Z | 2022-11-14T14:15:10 | CVE Published Date | updated |
| 2022-12-07 17:41:22 | 2022-11-16T18:57:59 | CVE Modified Date | updated | |
| 2022-12-07 17:41:22 | Analyzed | Vulnerability Status | updated | |
| 2022-12-07 17:41:23 | CPE Information | updated | ||
| 2022-12-07 17:41:23 | References | updated | ||
| 2022-12-21 07:02:12 | 2022-12-20T14:15:12 | CVE Modified Date | updated | |
| 2022-12-21 07:02:12 | Analyzed | Modified | Vulnerability Status | updated |
| 2022-12-21 07:02:13 | ** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ** UNSUPPPORTED WHEN ASSIGNED **In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even lead to arbitrary remote code execution. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | Description | updated |
| 2022-12-28 15:14:27 | Modified | Undergoing Analysis | Vulnerability Status | updated |
| 2023-03-01 03:16:36 | 2023-03-01T02:25:50 | CVE Modified Date | updated | |
| 2023-03-01 03:16:36 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |