Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

http://www.debian.org/security/2015/dsa-3298

http://www.securityfocus.com/archive/1/535582/100/0/threaded

http://www.securityfocus.com/bid/74761

https://issues.apache.org/jira/browse/JCR-3883

https://www.exploit-db.com/exploits/37110/

Related Vulnerabilities

CVE-2023-40167 Vulnerability in maven package org.eclipse.jetty:jetty-http

CVE-2023-26474 Vulnerability in maven package org.xwiki.platform:xwiki-platform-legacy-oldcore

CVE-2019-10364 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2021-45105 Vulnerability in maven package org.apache.logging.log4j:log4j-core

CVE-2022-29037 Vulnerability in maven package org.jenkins-ci.plugins:cvs

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory Exploit