Skip to content

[GHSA-wwq7-pxwc-p4rc] Improper Input Validation in Apache Axis2 #6497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
advisory-database merged 1 commit into from
Dec 4, 2025
Merged

[GHSA-wwq7-pxwc-p4rc] Improper Input Validation in Apache Axis2 #6497

advisory-database merged 1 commit into from
Dec 4, 2025
+17 −1

Conversation

@steinybot
Copy link

@steinybot steinybot commented Dec 4, 2025

Updates

  • Affected products

Comments
I'm fairly certain that this is in the axis2-transport-http module. The axis2 module is a fat JAR containing a whole lot of other modules. See the https://repo1.maven.org/maven2/org/apache/axis2/axis2/1.5.1/axis2-1.5.1.pom. I don't know what version though. Presumably the same ones listed here although the <= 1.6.2 looks wrong. I think this affects 1.7 too.

Copilot AI review requested due to automatic review settings December 4, 2025 09:34
@github-actions github-actions bot changed the base branch from main to steinybot/advisory-improvement-6497 December 4, 2025 09:35
Copilot finished reviewing on behalf of steinybot December 4, 2025 09:36
Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request updates a GitHub Security Advisory for CVE-2012-5785, which affects Apache Axis2/Java. The change adds a second affected package entry to clarify that the vulnerability impacts org.apache.axis2:axis2-transport-http in addition to the already-listed org.apache.axis2:axis2 package.

  • Adds org.apache.axis2:axis2-transport-http as an affected package
  • Updates the modified timestamp to 2023-01-27T05:02:15Z
  • Addresses the comment in the PR description that the issue is in the axis2-transport-http module rather than just the fat JAR

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

advisories/github-reviewed/2022/05/GHSA-wwq7-pxwc-p4rc/GHSA-wwq7-pxwc-p4rc.json
Comment on lines +40 to +49
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
}
]
}
]
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new package entry for org.apache.axis2:axis2-transport-http is missing a fixed version in the events array. According to the existing entry for org.apache.axis2:axis2, the vulnerability was fixed in version 1.8.0. The new entry should include a similar fixed event to specify which version resolved the vulnerability.

Compare with the existing entry (lines 18-33) which includes:

{
  "introduced": "0"
},
{
  "fixed": "1.8.0"
}

The new entry should follow the same pattern to provide complete vulnerability information.

Copilot uses AI. Check for mistakes.
advisories/github-reviewed/2022/05/GHSA-wwq7-pxwc-p4rc/GHSA-wwq7-pxwc-p4rc.json
Comment on lines +49 to 50
]
}
Copy link

Copilot AI Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new package entry is missing database_specific field with last_known_affected_version_range information. The existing entry for org.apache.axis2:axis2 includes this field (line 31-33) which provides important context about the last affected version. Consider adding similar information for the axis2-transport-http package to maintain consistency and completeness.

Suggested change
]
}
]
,
"database_specific": {
"last_known_affected_version_range": "<= 1.6.2"
}
}

Copilot uses AI. Check for mistakes.
@advisory-database advisory-database bot merged commit 7e9d8ee into steinybot/advisory-improvement-6497 Dec 4, 2025
10 checks passed
@advisory-database
Copy link
Contributor

advisory-database bot commented Dec 4, 2025

Hi @steinybot! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the steinybot-GHSA-wwq7-pxwc-p4rc branch December 4, 2025 22:13
aprendis543 referenced this pull request Dec 5, 2025
@advisory-database
Publish Advisories
10bbf8e 
GHSA-2jcm-5xf4-f336
GHSA-3j3g-3pw9-9vcc
GHSA-3j5h-f552-7rhh
GHSA-45cx-fj69-47wf
GHSA-4jmm-vm3q-jf46
GHSA-768g-4qpg-32w7
GHSA-7w72-74p3-5cfq
GHSA-f273-cm78-fr26
GHSA-pgg4-37vc-q6h2
GHSA-q4hc-8qp5-39rj
GHSA-q85g-v7c2-rh39
GHSA-vcq4-6967-rq8f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steinybot