A denial-of-service vulnerability exists in the WS-Security plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gsoap | Genivia | 2.8.107 (including) | 2.8.107 (including) |
| Gsoap | Ubuntu | bionic | * |
| Gsoap | Ubuntu | esm-apps/bionic | * |
| Gsoap | Ubuntu | esm-apps/focal | * |
| Gsoap | Ubuntu | esm-apps/jammy | * |
| Gsoap | Ubuntu | focal | * |
| Gsoap | Ubuntu | groovy | * |
| Gsoap | Ubuntu | hirsute | * |
| Gsoap | Ubuntu | impish | * |
| Gsoap | Ubuntu | jammy | * |
| Gsoap | Ubuntu | kinetic | * |
| Gsoap | Ubuntu | trusty | * |
| Gsoap | Ubuntu | upstream | * |
| Gsoap | Ubuntu | xenial | * |
Potential Mitigations
References
- https://lists.debian.org/debian-lts-announce/2024/02/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188
- https://lists.debian.org/debian-lts-announce/2024/02/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JINMAJB4WQASTKTNSPQL3V7YMSYPKIA2/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SMTJ3SJJ22SFLBLPKFADV7NVBH7UFA23/
- https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188