OverviewWhy AttestdQuickstartResponse FieldsStabilityDetection LedgerAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
products / apache_axis

Apache Axis

Apache Axis is a Java framework for building SOAP and JAX-WS web services, deployed as a WAR inside servlet containers such as Tomcat. Both the 1.x and 2.x lines are tracked under the apache:axis namespace in NVD. The 1.x series reached end-of-life in 2006; the Apache Software Foundation no longer issues security patches for it.

api usage

Querying Apache Axis

product slugapache_axis
version format1.4, 2.0.0
bash
curl "https://api.attestd.io/v1/check?product=apache_axis&version=1.4" \
  -H "Authorization: Bearer $ATTESTD_KEY"

Axis 1.4 is affected by CVE-2023-40743, which allows an unauthenticated attacker to trigger arbitrary Java class loading through the Axis lookup endpoint. The 1.x line has no upstream fix.

json
{
  "product": "apache_axis",
  "version": "1.4",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "remote_code_execution",
    "no_authentication_required"
  ],
  "actively_exploited": false,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": false,
  "fixed_version": null,
  "confidence": 0.85,
  "cve_ids": ["CVE-2023-40743", "CVE-2019-0227", "CVE-2012-5784", "CVE-2014-3596"],
  "last_updated": "2026-06-08T00:00:00Z",
  "supply_chain": null
}
safe version

Apache Axis 1.x has no patched release for CVE-2023-40743. The project is end-of-life. Migration to a maintained JAX-WS implementation such as Apache CXF is the only resolution for the 1.x line. Run /v1/check against your deployed version to confirm current risk state before planning migration.

notable cves

CVE history

Axis 1.x CVEs concentrate in two areas: unauthenticated access to the Admin and lookup endpoints, and TLS hostname verification failures in the HTTP client that allow man-in-the-middle attacks against outbound SOAP calls.

CVEDescriptionAffectsCVSS
CVE-2023-40743
Unauthenticated remote class loading via the Axis lookup endpoint. An attacker can supply a crafted WSDL to trigger arbitrary Java class instantiation on the server.<= 1.49.8
CVE-2019-0227
SSRF in the Axis 1.x Admin HTTP Service. An attacker with network access to the Admin port can send forged requests to internal services.<= 1.47.6
CVE-2014-3596
HTTPS client does not verify that the server hostname matches the CN or subjectAltName in the certificate, allowing man-in-the-middle interception of SOAP calls.<= 1.45.8
CVE-2012-5784
SSL hostname verification bypass in the HTTP client. Certificates are accepted without checking the hostname against the CN field.<= 1.45.8

KEV = CISA Known Exploited Vulnerabilities catalog. Active exploitation confirmed.

data sources

NVD namespace

NVD tracks Apache Axis under apache:axis, covering both the 1.x and 2.x release lines in a single namespace. Version strings follow dotted release notation (1.4, 2.0.0).

cpe:2.3:a:apache:axis:*:*:*:*:*:*:*:*

Attestd queries the apache:axis namespace directly. No namespace merging is required.

related
All productsQuickstartApache TomcatApache Log4j