CVE-2023-40743

Name of the Vulnerable Software and Affected Versions Apache Axis versions prior to 1.4

Description The issue arises from insufficient input validation in the implementation of the Apache Axis web service platform, allowing potentially dangerous lookup mechanisms such as LDAP when looking up a service through ServiceFactory.getService. Passing untrusted input to this API method could expose the application to Denial of Service (DoS), Server-Side Request Forgery (SSRF), and even attacks leading to Remote Code Execution (RCE).

Recommendations As a temporary workaround, consider reviewing your code to verify no untrusted or unsanitized input is passed to ServiceFactory.getService. Migrate to a different SOAP engine, such as Apache Axis 2/Java, to fully resolve the issue. Apply the patch from https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 as an alternative workaround.