Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Remediation
References
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/
Related Vulnerabilities
CVE-2013-2165 Vulnerability in maven package org.richfaces.core:richfaces-core-impl
CVE-2016-0763 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2017-1000243 Vulnerability in maven package org.jvnet.hudson.plugins:favorite
CVE-2023-34453 Vulnerability in maven package org.xerial.snappy:snappy-java
CVE-2015-1812 Vulnerability in maven package org.jenkins-ci.main:jenkins-core