Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Remediation

References

http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

http://www.debian.org/security/2015/dsa-3298

http://www.securityfocus.com/archive/1/535582/100/0/threaded

http://www.securityfocus.com/bid/74761

https://issues.apache.org/jira/browse/JCR-3883

https://www.exploit-db.com/exploits/37110/

Related Vulnerabilities

CVE-2020-1945 Vulnerability in maven package org.apache.ant:ant

CVE-2023-41046 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2017-8032 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-uaa

CVE-2022-34169 Vulnerability in maven package xalan:xalan

CVE-2021-3632 Vulnerability in maven package org.keycloak:keycloak-core

Severity

Critical

Classification

CWE-20

Tags

Vendor Advisory Exploit