Apache Axis 1.x (EOL) may allow RCE when untrusted input is passed to getService
Description
Apache Axis 1.x EOL software includes a vulnerable ServiceFactory.getService method that can lead to DoS, SSRF, or RCE via untrusted input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Axis 1.x EOL software includes a vulnerable `ServiceFactory.getService` method that can lead to DoS, SSRF, or RCE via untrusted input.
Vulnerability
Overview
Apache Axis 1.x, an end-of-life SOAP engine, contains a vulnerability in the ServiceFactory.getService method that, when used with untrusted input, can enable dangerous lookup mechanisms such as LDAP. This can lead to denial of service (DoS), server-side request forgery (SSRF), and in some cases remote code execution (RCE) [1].
Exploitation and
Root Cause
The root cause is that ServiceFactory.getService does not properly restrict the protocols used during service lookup, allowing attackers to pass arbitrary strings (e.g., containing "LDAP") in the jndiName parameter. As shown in the commit referencing the fix [2], the code now filters out unsupported protocols (LDAP, RMI, JMS, JMX, JRMP, JAVA, DNS) and returns null, but in the unpatched version these lookups were processed [2].
Impact and
Mitigation
An attacker able to supply unsanitized input to this method can trigger outbound connections to attacker-controlled resources, potentially leading to data exfiltration or remote code execution. Because Axis 1.x is EOL, the Apache project does not plan to release an official fix; however, a patch is available on GitHub [2]. The recommended mitigation is to migrate to a different SOAP engine such as Apache Axis 2/Java, or to carefully review and sanitize any input passed to ServiceFactory.getService, ensuring no untrusted data reaches the method [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.axis:axisMaven | <= 1.4 | — |
axis:axisMaven | <= 1.4 | — |
Affected products
3- ghsa-coords2 versions
<= 1.4+ 1 more
- (no CPE)range: <= 1.4
- (no CPE)range: <= 1.4
- Range: 0
Patches
17e6675342746Filter out unsupported protocols in the client class ServiceFactory
1 file changed · +5 −0
axis-rt-core/src/main/java/org/apache/axis/client/ServiceFactory.java+5 −0 modified@@ -106,6 +106,10 @@ public static Service getService(Map environment) if (context != null) { String name = (String)environment.get("jndiName"); + + if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1) { + return null; + } if (name == null) { name = "axisServiceName"; } @@ -120,6 +124,7 @@ public static Service getService(Map environment) context.bind(name, service); } catch (NamingException e1) { // !!! Couldn't do it, what should we do here? + return null; } } } else {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210ghsapatchWEB
- github.com/advisories/GHSA-rmqp-9w4c-gc7wghsaADVISORY
- lists.apache.org/thread/gs0qgk2mgss7zfhzdd6ftfjvm4kp7v82ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-40743ghsaADVISORY
- lists.debian.org/debian-lts-announce/2023/10/msg00025.htmlghsaWEB
News mentions
0No linked articles in our index yet.