High severityNVD Advisory· Published Jan 6, 2024· Updated Jun 18, 2025

Apache Axis 1.x (EOL) may allow SSRF when untrusted input is passed to the service admin HTTP API

CVE-2023-51441

Description

Improper input validation in Apache Axis admin service allows SSRF; product is EOL.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper input validation in Apache Axis admin service allows SSRF; product is EOL.

Vulnerability

CVE-2023-51441 is an improper input validation vulnerability in Apache Axis 1.x that allows users with access to the admin service to perform server-side request forgery (SSRF). The root cause lies in insufficient validation of JNDI names passed to the ServiceFactory.getService() method, which can reference various protocols such as LDAP, RMI, and others. This issue affects Axis versions through 1.3 [1].

Exploitation

An attacker who has access to the admin service can craft a malicious JNDI name containing unsupported protocols. The commit that addresses this vulnerability blocks protocols like IIOP and CORBANAME in addition to previously blocked ones, indicating that these were overlooked attack vectors [2]. The attack does not require prior authentication if the admin service is exposed.

Impact

Successful exploitation allows an attacker to make the Axis server initiate requests to arbitrary internal or external resources, potentially leaking sensitive information or pivoting to other systems. Since Axis 1 is end-of-life (EOL), there will be no official release with a fix [1].

Mitigation

As Apache Axis 1 is unsupported, users are strongly advised to migrate to Apache Axis 2/Java. Alternatively, the patch from commit 685c309febc64aa393b2d64a05f90e7eb9f73e06 can be manually applied to a custom build [2][1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.axis:axisMaven	<= 1.3	—
axis:axisMaven	<= 1.3	—

Affected products

ghsa-coords6 versions
pkg:maven/axis/axis pkg:maven/org.apache.axis/axis pkg:rpm/opensuse/axis&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/axis&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
<= 1.3+ 5 more
- (no CPE)range: <= 1.3
- (no CPE)range: <= 1.3
- (no CPE)range: < 1.4-150200.13.9.1
- (no CPE)range: < 1.4-150200.13.9.1
- (no CPE)range: < 1.4-290.9.1
- (no CPE)range: < 1.4-290.9.1
Apache/Apache Axis2\/ccpe-rescue
Range: 0

Patches

685c309febc6

Filter out more unsupported protocols in the client class ServiceFactory

https://github.com/apache/axis-axis1-javaRobert LazarskiDec 18, 2023via ghsa

commit

1 file changed · +7 −1

axis-rt-core/src/main/java/org/apache/axis/client/ServiceFactory.java+7 −1 modified

@@ -17,9 +17,11 @@
 package org.apache.axis.client;
 
 import org.apache.axis.EngineConfiguration;
+import org.apache.axis.components.logger.LogFactory;
 import org.apache.axis.configuration.EngineConfigurationFactoryFinder;
 import org.apache.axis.utils.ClassUtils;
 import org.apache.axis.utils.Messages;
+import org.apache.commons.logging.Log;
 
 import javax.naming.Context;
 import javax.naming.InitialContext;
@@ -47,6 +49,9 @@
 public class ServiceFactory extends javax.xml.rpc.ServiceFactory
         implements ObjectFactory
 {
+    protected static Log log =
+        LogFactory.getLog(ServiceFactory.class.getName());
+
     // Constants for RefAddrs in the Reference.
     public static final String SERVICE_CLASSNAME  = "service classname";
     public static final String WSDL_LOCATION      = "WSDL location";
@@ -107,7 +112,8 @@ public static Service getService(Map environment)
         if (context != null) {
             String name = (String)environment.get("jndiName");
 
-	    if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1)  {
+	    if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1 || name.toUpperCase().indexOf("IIOP")!=-1 || name.toUpperCase().indexOf("CORBANAME")!=-1) {
+                log.warn("returning null, jndiName received by ServiceFactory.getService() is not supported by this method: " + name);
 	        return null;
             }
             if (name == null) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/apache/axis-axis1-java/commit/685c309febc64aa393b2d64a05f90e7eb9f73e06ghsapatchWEB
github.com/advisories/GHSA-hr2c-p8rh-238hghsaADVISORY
lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9ydghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-51441ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000