Moderate severityNVD Advisory· Published Apr 30, 2007· Updated Apr 23, 2026

CVE-2007-2353

Description

Apache Axis 1.0 allows remote attackers to obtain sensitive information by requesting a non-existent WSDL file, which reveals the installation path in the resulting exception message.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.axis:axisMaven	< 1.2	1.2

Affected products

Apache/Axis
cpe:2.3:a:apache:axis:1.0:*:*:*:*:*:*:*

Patches

32f35038ecae

Fix up JWS error message to avoid using an absolute path.

https://github.com/albfernandez/axis1-javaTom JordahlJan 20, 2004via ghsa

commit

1 file changed · +11 −3

src/org/apache/axis/handlers/JWSHandler.java+11 −3 modified

@@ -61,6 +61,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.FileNotFoundException;
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.net.URLDecoder;
@@ -145,10 +146,18 @@ protected void setupService(MessageContext msgContext) throws Exception {
             /***************************************************************/
             String   jwsFile = realpath;
             String rel = msgContext.getStrProp(Constants.MC_RELATIVE_PATH);
+
+            // Check for file existance, report error with
+            // relative path to avoid giving out directory info.
+            File  f2 = new File( jwsFile );
+            if (!f2.exists()) {
+                throw new FileNotFoundException(rel);
+            }
+
             if (rel.charAt(0) == '/') {
                 rel = rel.substring(1);
             }
-            
+
             int lastSlash = rel.lastIndexOf('/');
             String dir = null;
             
@@ -194,8 +203,7 @@ protected void setupService(MessageContext msgContext) throws Exception {
             }
             
             File  f1 = new File( cFile );
-            File  f2 = new File( jwsFile );
-            
+
             /* Get the class */
             /*****************/
             String clsName = null ;

2fdbb91c5e86

Fix up JWS error message to avoid using an absolute path.

https://github.com/apache/axis-axis1-javaTom JordahlJan 20, 2004via ghsa

commit

1 file changed · +11 −3

src/org/apache/axis/handlers/JWSHandler.java+11 −3 modified

@@ -61,6 +61,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.FileNotFoundException;
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.net.URLDecoder;
@@ -145,10 +146,18 @@ protected void setupService(MessageContext msgContext) throws Exception {
             /***************************************************************/
             String   jwsFile = realpath;
             String rel = msgContext.getStrProp(Constants.MC_RELATIVE_PATH);
+
+            // Check for file existance, report error with
+            // relative path to avoid giving out directory info.
+            File  f2 = new File( jwsFile );
+            if (!f2.exists()) {
+                throw new FileNotFoundException(rel);
+            }
+
             if (rel.charAt(0) == '/') {
                 rel = rel.substring(1);
             }
-            
+
             int lastSlash = rel.lastIndexOf('/');
             String dir = null;
             
@@ -194,8 +203,7 @@ protected void setupService(MessageContext msgContext) throws Exception {
             }
             
             File  f1 = new File( cFile );
-            File  f2 = new File( jwsFile );
-            
+
             /* Get the class */
             /*****************/
             String clsName = null ;

7ba89deb2eb2

Fix up JWS error message to avoid using an absolute path.

https://github.com/apache/axis-axis1-javaTom JordahlJan 20, 2004via ghsa

commit

1 file changed · +11 −3

src/org/apache/axis/handlers/JWSHandler.java+11 −3 modified

@@ -61,6 +61,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.FileNotFoundException;
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.net.URLDecoder;
@@ -145,10 +146,18 @@ protected void setupService(MessageContext msgContext) throws Exception {
             /***************************************************************/
             String   jwsFile = realpath;
             String rel = msgContext.getStrProp(Constants.MC_RELATIVE_PATH);
+
+            // Check for file existance, report error with
+            // relative path to avoid giving out directory info.
+            File  f2 = new File( jwsFile );
+            if (!f2.exists()) {
+                throw new FileNotFoundException(rel);
+            }
+
             if (rel.charAt(0) == '/') {
                 rel = rel.substring(1);
             }
-            
+
             int lastSlash = rel.lastIndexOf('/');
             String dir = null;
             
@@ -194,8 +203,7 @@ protected void setupService(MessageContext msgContext) throws Exception {
             }
             
             File  f1 = new File( cFile );
-            File  f2 = new File( jwsFile );
-            
+
             /* Get the class */
             /*****************/
             String clsName = null ;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.003
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000