Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

http://www.debian.org/security/2015/dsa-3298

http://www.securityfocus.com/archive/1/535582/100/0/threaded

http://www.securityfocus.com/bid/74761

https://issues.apache.org/jira/browse/JCR-3883

https://www.exploit-db.com/exploits/37110/

Related Vulnerabilities

CVE-2011-0533 Vulnerability in maven package org.apache.archiva:archiva-common

CVE-2014-0363 Vulnerability in maven package org.igniterealtime.smack:smack-core

CVE-2022-45875 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-alert-plugins

CVE-2021-20222 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2017-5637 Vulnerability in maven package org.apache.zookeeper:zookeeper

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory Exploit