Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Remediation
References
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/
Related Vulnerabilities
CVE-2023-44794 Vulnerability in maven package cn.dev33:sa-token-core
CVE-2014-0109 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal
CVE-2017-4971 Vulnerability in maven package org.springframework.webflow:spring-webflow
CVE-2023-28675 Vulnerability in maven package org.jenkinsci.plugins:octoperf
CVE-2015-5170 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-login