Vulnerability Description
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Axis | 1.4 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Product Lifecycle Management | 9.3.3 |
| Oracle | Application Testing Suite | 13.2.0.1 |
| Oracle | Big Data Discovery | 1.6 |
| Oracle | Communications Asap Cartridges | 7.2 |
| Oracle | Communications Design Studio | 7.3.4.3.0 |
| Oracle | Communications Element Manager | 8.0.0 |
| Oracle | Communications Network Integrity | 7.3.5 |
| Oracle | Communications Order And Service Management | 7.3.0.0.0 |
| Oracle | Communications Session Report Manager | 8.0.0 |
| Oracle | Communications Session Route Manager | 8.0.0 |
| Oracle | Endeca Information Discovery Studio | 3.2.0 |
| Oracle | Enterprise Manager Base Platform | 12.1.0.5 |
| Oracle | Enterprise Manager For Fusion Middleware | 12.1.0.5 |
| Oracle | Financial Services Analytical Applications Infrastructure | >= 7.3.3, <= 7.3.5 |
| Oracle | Financial Services Compliance Regulatory Reporting | >= 8.0.6, <= 8.0.8 |
| Oracle | Financial Services Funds Transfer Pricing | >= 8.0.2, <= 8.0.7 |
| Oracle | Flexcube Core Banking | 11.7.0 |
| Oracle | Flexcube Private Banking | 12.0.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0
- https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-ExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20240621-0006/
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatchThird Party Advisory
- https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0
FAQ
What is CVE-2019-0227?
CVE-2019-0227 is a vulnerability with a CVSS score of 7.5 (HIGH). A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversi...
How severe is CVE-2019-0227?
CVE-2019-0227 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-0227?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Axis, Oracle Agile Engineering Data Management, Oracle Agile Product Lifecycle Management, Oracle Application Testing Suite, Oracle Big Data Discovery.