CyberSec.Space Logo
Back to CVE Browser

CVE-2010-1632

HIGH
7.5
CVSS Severity Score
EPSS Score0.0490%
EPSS Percentile25.38th
PublishedJun 22, 2010
Last ModifiedApr 29, 2026

Vulnerability Description

Apache Axis2 before 1.5.2, as used in IBM WebSphere Application Server (WAS) 7.0 through 7.0.0.12, IBM Feature Pack for Web Services 6.1.0.9 through 6.1.0.32, IBM Feature Pack for Web 2.0 1.0.1.0, Apache Synapse, Apache ODE, Apache Tuscany, Apache Geronimo, and other products, does not properly reject DTDs in SOAP messages, which allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a crafted DTD, as demonstrated by an entity declaration in a request to the Synapse SimpleStockQuoteService.

Affected Platforms (CPE)

πŸ“¦
Apache

Axis2

<= 1.5.1
πŸ“¦
Apache

Axis2

= 1.3
πŸ“¦
Apache

Axis2

= 1.4
πŸ“¦
Apache

Axis2

= 1.4.1
πŸ“¦
Apache

Axis2

= 1.5

References & Advisories

πŸ”— http://geronimo.apache.org/2010/07/21/apache-geronimo-v216-released.html
πŸ”— http://geronimo.apache.org/21x-security-report.html
πŸ”— http://geronimo.apache.org/22x-security-report.html
πŸ”— http://markmail.org/message/e4yiij7lfexastvl
πŸ”— http://secunia.com/advisories/40252
πŸ”— http://secunia.com/advisories/40279
πŸ”— http://secunia.com/advisories/41016
πŸ”— http://secunia.com/advisories/41025

Related Vulnerabilities

CVE-2010-021910.0

Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a de...

CVE-2018-1472110.0

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by ...

CVE-2018-193609.8

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the ax...

CVE-2019-02277.5

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Secur...