Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Remediation

References

http://www.securityfocus.com/bid/74761

https://www.exploit-db.com/exploits/37110/

http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

https://issues.apache.org/jira/browse/JCR-3883

http://www.debian.org/security/2015/dsa-3298

http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

http://www.securityfocus.com/archive/1/535582/100/0/threaded

Related Vulnerabilities

CVE-2021-32860 Vulnerability in maven package org.webjars.npm:izimodal

CVE-2023-49375 Vulnerability in maven package com.jfinal:jfinal

CVE-2023-42794 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-37767 Vulnerability in maven package io.pebbletemplates:pebble

CVE-2023-40348 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

Severity

Critical

Classification

CWE-20

Tags

Exploit Vendor Advisory