=====================================================================

                               CERT-Renater

                    Note d'Information No. 2022/VULN340

_____________________________________________________________________

DATE                : 22/09/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache SOAP.

=====================================================================
https://lists.apache.org/thread/02yo04w93rdjmllz4454lvodn5xzhwhl
_____________________________________________________________________

Arnout Engelen - jeudi 22 septembre 2022 10:07:35 UTC+2
Severity: important


Description:

** UNSUPPORTED WHEN ASSIGNED ** An Improper Restriction of XML
External Entity Reference vulnerability in RPCRouterServlet of
Apache SOAP allows an attacker to read arbitrary files over HTTP.
This issue affects Apache SOAP version 2.2 and later versions.
It is unknown whether previous versions are also affected. NOTE:
This vulnerability only affects products that are no longer
supported by the maintainer.


Mitigation:

We do not expect to release a version that fixes this problem.
Instead, we recommend users to migrate to one of the other
actively maintained web service stacks such as Apache CXF
(https://cxf.apache.org) or Apache Axis (https://axis.apache.org).

Apache SOAP is an archived project, with the last release published
in 2003. This means it is no longer maintained, does not receive
updates, and we do not commit to publishing CVE's for security
problems in this project. This advisory is published purely as a
courtesy.


Credit:

Apache would like to thank TsungShu Chiu (CHT Security) for
reporting this issue



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================