Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

http://www.debian.org/security/2015/dsa-3298

http://www.securityfocus.com/archive/1/535582/100/0/threaded

http://www.securityfocus.com/bid/74761

https://issues.apache.org/jira/browse/JCR-3883

https://www.exploit-db.com/exploits/37110/

Related Vulnerabilities

CVE-2014-3500 Vulnerability in npm package cordova-android

CVE-2023-29207 Vulnerability in maven package org.xwiki.platform:xwiki-platform-flamingo-skin-resources

CVE-2022-36897 Vulnerability in maven package com.compuware.jenkins:compuware-xpediter-code-coverage

CVE-2023-37579 Vulnerability in maven package org.apache.pulsar:pulsar-functions-worker

CVE-2018-1000175 Vulnerability in maven package org.jenkins-ci.plugins:htmlpublisher

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory Exploit