Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Remediation
References
http://www.securityfocus.com/bid/74761
https://www.exploit-db.com/exploits/37110/
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
https://issues.apache.org/jira/browse/JCR-3883
http://www.debian.org/security/2015/dsa-3298
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.securityfocus.com/archive/1/535582/100/0/threaded
Related Vulnerabilities
CVE-2019-18797 Vulnerability in npm package node-sass
CVE-2022-21803 Vulnerability in maven package org.webjars.npm:nconf
CVE-2023-26049 Vulnerability in maven package org.eclipse.jetty:jetty-http
CVE-2011-3190 Vulnerability in maven package org.apache.tomcat:coyote
CVE-2018-20677 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap