Attacker Value
Very High


Disclosure Date: May 24, 2018


(1 user assessed) Very High
Attack Vector
Privileges Required
User Interaction


The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through allows remote attackers to obtain sensitive configuration information via a direct request, as demonstrated by happyaxis.jsp. IBM X-Force ID: 84354.

Add Assessment

  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

CVE here doesn’t show the real impact of this vulnerability and also the data is partial/misleading.

Axis2 version 1.6.2 let an attacker to read files on local filesystem. admin password is written in plaintext in a XML configuration file.
chaining this two easy vulnerabilities, an attacker is able to login as admin to Axis2 and to deploy a new webservice to achieve remote code execution.

things get worse beause we mostly find Axis2 internet-faced

to retrieve the config file an attacker can just exploit the LFI in a very basic way:
GET /axis2/services/Version?xsd=../conf/axis2.xml
then scrolling down to read username/password parameters

with given credentials, axis2_deployer ( from metasploit will let him to deploy a meterpreter session

General Information

Additional Info

Technical Analysis