CVE-2019-0227
HIGH severity · CVSS 7.5 · Server-side request forgery (SSRF)
7.5CVSS HIGH
Summary
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
Impact & exploitability
Attack vectorAdjacent
Attack complexityHigh
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)87%
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (2)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://www.oracle.com/security-alerts/cpuApr2021.html ↗
Additional information
- NVD record
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/Advisory