Description

The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should upgrade to version 2.1.6 of the JCR ContentLoader

Remediation

References

https://issues.apache.org/jira/browse/SLING-2512

https://lists.apache.org/thread.html/50994d80dd5cf93f1365dacfcaecf5c12f1efe522c4ff6040b3c521a%40%3Cdev.sling.apache.org%3E

Related Vulnerabilities

CVE-2021-20222 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2014-3623 Vulnerability in maven package wss4j:wss4j

CVE-2018-8003 Vulnerability in maven package org.apache.ambari:ambari-server

CVE-2023-49380 Vulnerability in maven package com.jfinal:jfinal

CVE-2020-9497 Vulnerability in maven package org.apache.guacamole:guacamole

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory