Talos Vulnerability Report


Genivia gSOAP WS-Addressing plugin code execution vulnerability redux

March 24, 2021
CVE Number



A code execution vulnerability exists in the WS-Addressing plugin functionality of Genivia gSOAP 2.8.107. A specially crafted SOAP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.

Tested Versions

Genivia gSOAP 2.8.109
Genivia gSOAP 2.8.110

Product URLs


CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


CWE-680 - Integer Overflow to Buffer Overflow


The gSOAP toolkit is a C/C++ library for developing XML-based web services. It includes several plugins to support the implementation of SOAP and web service standards. The framework also provides multiple deployment options including modules for both IIS and Apache, standalone CGI scripts and its standalone HTTP service.

One of the many plugins provided by gSOAP includes the wsa plugin for supporting the WS-Addressing specification which provides an asynchronous mechanism for routing SOAP requests and responses. The specification includes a element for providing URI parameters to a number of different parts of both requests and responses. The URIs may include a username and password for the resource in a standard format. http://user:password@somehost.com A buffer overflow vulnerability existing in the parsing of these extra parameters.

While testing a newer version of gSOAP (2.8.110), it was discovered that we were able to reproduce a previously patched vulnerability again. This vulnerability, TALOS-2020-1187, was disclosed to Genivia and patched in an update in October of 2020. Details of the vulnerability remain the same.

Changes were made to soap_decode to check for negative values but unforunately the checks were added comparing size_t types. size_t data types are unsigned integers which can never hold negative values. When the initial size calculation occurs, an unsigned value will wrap around to a very large number resulting in this condition always being true.

soap_decode(char *buf, size_t len, const char *val, const char *sep)
  const char *s;
  char *t = buf;
  size_t i = len;
  if (!buf || !val || !sep || len == 0)
    return val;
  for (s = val; *s; s++)
    if (*s != ' ' && *s != '\t' && !strchr(sep, *s))
  if (len > 0)
    if (*s == '"')
      while (*s && *s != '"' && i-- > 1)
        *t++ = *s++;
      while (*s && !strchr(sep, *s) && i-- > 1)
        if (*s == '%' && s[1] && s[2])
          *t++ = ((s[1] >= 'A' ? (s[1] & 0x7) + 9 : s[1] - '0') << 4)
                + (s[2] >= 'A' ? (s[2] & 0x7) + 9 : s[2] - '0');
          s += 3;
          *t++ = *s++;
    buf[len - 1] = '\0'; /* appease static checkers that get confused */
  *t = '\0';
  while (*s && !strchr(sep, *s))
  return s;


2021-01-22 - Vendor Disclosure
2021-03-24 - Public Release


Discovered by a member of Cisco Talos.