MidnightBSD

Advisories for genivia

CVE-2017-9765 MEDIUM

Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2.8.x before 2.8.48, as used on Axis cameras and other devices, allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow and application crash) via a large XML document, aka Devil's Ivy. NOTE: the large document would be blocked by many common web-server configurations on general-purpose computers.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
genivia gsoap 2.8.5
genivia gsoap 2.7.7
genivia gsoap 2.8.29
genivia gsoap 2.8.32
genivia gsoap 2.8.38
genivia gsoap 2.8.39
genivia gsoap 2.8.47
genivia gsoap 2.7.15
genivia gsoap 2.7.4
genivia gsoap 2.8.7
genivia gsoap 2.8.34
genivia gsoap 2.8.37
genivia gsoap 2.7.12
genivia gsoap 2.8.11
genivia gsoap 2.8.25
genivia gsoap 2.8.26
genivia gsoap 2.8.33
genivia gsoap 2.7.13
genivia gsoap 2.8.17
genivia gsoap 2.7.6
genivia gsoap 2.8.9
genivia gsoap 2.8.43
genivia gsoap 2.8.27
genivia gsoap 2.8.6
genivia gsoap 2.7.16
genivia gsoap 2.8.16
genivia gsoap 2.8.28
genivia gsoap 2.8.44
genivia gsoap 2.7.5
genivia gsoap 2.7.2
genivia gsoap 2.7.3
genivia gsoap 2.8.2
genivia gsoap 2.8.30
genivia gsoap 2.8.4
genivia gsoap 2.7.0
genivia gsoap 2.8.14
genivia gsoap 2.8.10
genivia gsoap 2.8.13
genivia gsoap 2.8.19
genivia gsoap 2.7.10
genivia gsoap 2.8.21
genivia gsoap 2.7.17
genivia gsoap 2.8.36
genivia gsoap 2.8.0
genivia gsoap 2.8.15
genivia gsoap 2.8.3
genivia gsoap 2.8.18
genivia gsoap 2.8.42
genivia gsoap 2.8.35
genivia gsoap 2.8.20
genivia gsoap 2.8.31
genivia gsoap 2.8.41
genivia gsoap 2.7.9
genivia gsoap 2.7.8
genivia gsoap 2.8.23
genivia gsoap 2.8.46
genivia gsoap 2.8.8
genivia gsoap 2.8.1
genivia gsoap 2.8.22
genivia gsoap 2.7.11
genivia gsoap 2.7.14
genivia gsoap 2.7.1
genivia gsoap 2.8.24
genivia gsoap 2.8.12
genivia gsoap 2.8.45
genivia gsoap 2.8.40
CVE-2019-25355

gSOAP 2.8 contains a directory traversal vulnerability that allows unauthenticated attackers to access system files by manipulating HTTP path traversal techniques. Attackers can retrieve sensitive files like /etc/passwd by sending crafted GET requests with multiple '../' directory traversal sequences.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
genivia gsoap 2.8.0
CVE-2019-6973 MEDIUM

Sricam IP CCTV cameras are vulnerable to denial of service via multiple incomplete HTTP requests because the web server (based on gSOAP 2.8.x) is configured for an iterative queueing approach (aka non-threaded operation) with a timeout of several seconds.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
genivia gsoap 2.8.0
CVE-2019-7659 MEDIUM

Genivia gSOAP 2.7.x and 2.8.x before 2.8.75 allows attackers to cause a denial of service (application abort) or possibly have unspecified other impact if a server application is built with the -DWITH_COOKIES flag. This affects the C/C++ libgsoapck/libgsoapck++ and libgsoapssl/libgsoapssl++ libraries, as these are built with that flag.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 8.0
genivia gsoap *
CVE-2020-13574 MEDIUM

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
genivia gsoap 2.8.107
fedoraproject fedora 34
fedoraproject fedora 33
CVE-2020-13575 MEDIUM

A denial-of-service vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
talos-cna@cisco.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
genivia gsoap 2.8.107
fedoraproject fedora 34
fedoraproject fedora 33
CVE-2020-13576 HIGH

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-680,CWE-190,

Products Affected

Vendor Product Version
genivia gsoap 2.8.107
fedoraproject fedora 34
fedoraproject fedora 33
CVE-2020-13577 MEDIUM

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
genivia gsoap 2.8.107
fedoraproject fedora 34
fedoraproject fedora 33
CVE-2020-13578 MEDIUM

A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,CWE-476,

Products Affected

Vendor Product Version
genivia gsoap 2.8.107
fedoraproject fedora 34
fedoraproject fedora 33
CVE-2021-21783 HIGH

A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-680,CWE-190,

Products Affected

Vendor Product Version
oracle communications_eagle_application_processor *
oracle communications_eagle_lnp_application_processor 46.7
genivia gsoap 2.8.107
oracle communications_eagle_lnp_application_processor 46.8
oracle communications_lsms 13.4
oracle communications_diameter_signaling_router *
oracle communications_lsms 13.1
oracle communications_eagle_lnp_application_processor 46.9
oracle communications_lsms 13.2
oracle tekelec_virtual_operating_environment *
oracle communications_lsms 13.3