Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Remediation
References
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/
Related Vulnerabilities
CVE-2020-10748 Vulnerability in maven package org.keycloak:keycloak-server-spi-private
CVE-2016-6795 Vulnerability in maven package org.apache.struts:struts2-core
CVE-2023-40350 Vulnerability in maven package org.jenkins-ci.plugins:docker-swarm
CVE-2022-34792 Vulnerability in maven package org.jenkins-ci.plugins:recipe
CVE-2019-10080 Vulnerability in maven package org.apache.nifi:nifi-security-utils