Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

http://www.debian.org/security/2015/dsa-3298

http://www.securityfocus.com/archive/1/535582/100/0/threaded

http://www.securityfocus.com/bid/74761

https://issues.apache.org/jira/browse/JCR-3883

https://www.exploit-db.com/exploits/37110/

Related Vulnerabilities

CVE-2014-3416 Vulnerability in maven package org.jasig.portal:uportal-war

CVE-2019-16568 Vulnerability in maven package hudson.plugins.sctmexecutor:sctmexecutor

CVE-2020-1956 Vulnerability in maven package org.apache.kylin:kylin-core-common

CVE-2023-46233 Vulnerability in maven package org.webjars.npm:crypto-js

CVE-2010-4207 Vulnerability in maven package org.webjars:yui

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory Exploit