axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Lowman <>
Subject Question on vulnerable Xalan 2.7.0 being distributed with Axis2 1.7.3
Date Sat, 10 Sep 2016 14:12:36 GMT
I noticed that Xalan version 2.7.0 is being distributed with the Axis2
1.7.3 binary release.

This version appears to have a rather serious security flaw which (if I am
understanding things properly) can allow remote code execution.  I guess
I'm wondering if this is exploitable via Axis somehow?

I've tried the approach indicated at ws-attacks below which I think is for
this vulnerability, but run into exceptions I don't understand (and I'm
also not a WS/XML/XSLT guru).


Philip Lowman

View raw message