CVE-2022-34269

Name of the Vulnerable Software and Affected Versions RWS WorldServer versions prior to 11.7.3

Description An issue was discovered that allows an authenticated, remote attacker to perform a blind SSRF attack using the ws-legacy/load dtd?system id= endpoint to deploy JSP code to the Apache Axis service running on the localhost interface, leading to command execution.

Recommendations For versions prior to 11.7.3, update to version 11.7.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the ws-legacy/load dtd endpoint until a patch is available. Avoid using the system id parameter in the affected API endpoint until the issue is resolved.