CVE-2015-1833
Severity CVSS v4.0:
Pending analysis
Type:
CWE-20
Input Validation
Publication date:
29/05/2015
Last modified:
09/10/2018
Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Impact
Base Score 2.0
6.40
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:* | 2.0.5 (including) | |
| cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- http://www.debian.org/security/2015/dsa-3298
- http://www.securityfocus.com/archive/1/535582/100/0/threaded
- http://www.securityfocus.com/bid/74761
- https://issues.apache.org/jira/browse/JCR-3883
- https://www.exploit-db.com/exploits/37110/