Vulnerability Details : CVE-2019-0227
Potential exploit
A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
Vulnerability category: Server-side request forgery (SSRF)
Products affected by CVE-2019-0227
- cpe:2.3:a:apache:axis:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:internet_directory:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:internet_directory:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:secure_global_desktop:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:tuxedo:12.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_human_resources:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_human_resources:7.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_human_capital_management_human_resources:7.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_product_lifecycle_management_framework:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:knowledge:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:12.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_core_banking:11.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_core_banking:11.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_core_banking:11.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:16.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_gateway:17.12.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
- Oracle » Financial Services Funds Transfer PricingVersions from including (>=) 8.0.2 and up to, including, (<=) 8.0.7cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:*:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 7.3.3 and up to, including, (<=) 7.3.5cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- Oracle » Financial Services Analytical Applications InfrastructureVersions from including (>=) 8.0.0 and up to, including, (<=) 8.0.8cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_order_and_service_management:7.3.0.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_order_and_service_management:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:big_data_discovery:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_asap_cartridges:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_asap_cartridges:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_design_studio:7.3.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_design_studio:7.3.5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_design_studio:7.4.0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_design_studio:7.4.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
- Oracle » Financial Services Compliance Regulatory ReportingVersions from including (>=) 8.0.6 and up to, including, (<=) 8.0.8cpe:2.3:a:oracle:financial_services_compliance_regulatory_reporting:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:real-time_decision_server:3.2.1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-0227
79.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-0227
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.4
|
MEDIUM | AV:A/AC:M/Au:N/C:P/I:P/A:P |
5.5
|
6.4
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
NIST |
CWE ids for CVE-2019-0227
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-0227
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd@%3Cjava-user.axis.apache.org%3E
[Axis2] Migration Issues - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2019 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r3a5baf5d76f1f2181be7f54da3deab70d7a38b5660b387583d05a8cd%40%3Cjava-user.axis.apache.org%3E
[Axis2] Migration Issues-Apache Mail Archives
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Patch;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/
CVE-2019-0227: Expired Domain to RCE in Apache AxisExploit;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20240621-0006/
February 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2019-Apache Mail Archives
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022
Jump to