=====================================================================

                                 CERT-Renater

                     Note d'Information No. 2022/VULN424

_____________________________________________________________________

DATE                : 17/11/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache SOAP.

=====================================================================
https://lists.apache.org/thread/g4l64s283njhnph2otx7q4gs2j952d31
_____________________________________________________________________

Severity: moderate

Description:

** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of
Apache SOAP, an RPCRouterServlet is available without authentication.
This gives an attacker the possibility to invoke methods on the
classpath that meet certain criteria. Depending on what classes
are available on the classpath this might even lead to arbitrary
remote code execution.

NOTE: This vulnerability only affects products that are no longer
supported by the maintainer.


Credit:

Apache would like to thank TsungShu Chiu (CHT Security) for
reporting this issue



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================