You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Andreas Veithen (JIRA)" <ji...@apache.org> on 2017/04/19 19:54:41 UTC
[jira] [Resolved] (AXIS2-5846) Local file inclusion vulnerability
in Axis2
[ https://issues.apache.org/jira/browse/AXIS2-5846?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen resolved AXIS2-5846.
------------------------------------
Resolution: Incomplete
The issue description doesn't contain any information about the actual vulnerability. Since this is related to a proprietary product and the report claims that it has been disclosed publicly, it is very likely a vulnerability that was present in an older version of Axis2 and that has been fixed since (such as e.g. AXIS2-4279).
> Local file inclusion vulnerability in Axis2
> -------------------------------------------
>
> Key: AXIS2-5846
> URL: https://issues.apache.org/jira/browse/AXIS2-5846
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.6.2
> Reporter: Nupur
>
> Defect CSCvd86595: Local file inclusion vulnerability in Axis2
> An defect has been raised on Present PCP 7.3 axis version
> *There is a Local File Inclusion (LFI) present in the Axis2 service. It
> allows the attacker to view certain files that would normally be inaccessible. This is a violation of PSB requirement SEC-SUP-PATCH because this is a publicly disclosed vulnerability with a patch.
> *security impact: Some of the files that are accessible via this LFI contain the username and password to the Axis2 admin interface. While the admin interface appears to be disabled currently, if it was ever enabled or an attacker found a way to access it, they would gain admin access to the Axis2 system.
> In addition, this vulnerability is publicly known, which makes it more likely to be exploited by an attacker.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org