** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** When
integrating Apache Axis 1.x in an application, it may not have been obvious
that looking up a service through “ServiceFactory.getService” allows
potentially dangerous lookup mechanisms such as LDAP. When passing
untrusted input to this API method, this could expose the application to
DoS, SSRF and even attacks leading to RCE.
As Axis 1 has been EOL we recommend you migrate to a different SOAP engine,
such as Apache Axis 2/Java. As a workaround, you may review your code to
verify no untrusted or unsanitized input is passed to
“ServiceFactory.getService”, or by applying the patch from
. The Apache Axis project does not expect to create an Axis 1.x release
fixing this problem, though contributors that would like to work towards
this are welcome.
Back to Main