Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Remediation
References
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/
Related Vulnerabilities
CVE-2010-2076 Vulnerability in maven package org.apache.axis2:axis2-kernel
CVE-2018-14642 Vulnerability in maven package io.undertow:undertow-core
CVE-2017-5662 Vulnerability in maven package org.eclipse.birt.runtime:org.apache.batik.dom
CVE-2019-10364 Vulnerability in maven package org.jenkins-ci.plugins:ec2
CVE-2022-40955 Vulnerability in maven package org.apache.inlong:sort-connector-base