CVE-2015-1833
EPSS 31.0%jackrabbit - security update
Published: 5/14/2022Modified: 4/28/2026
Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Affected packages (3)
- Debian/jackrabbitfrom 0, < 2.10.1-1
- Debian/jackrabbitfrom 0, < 2.3.6-1+deb7u1
- Maven/org.apache.jackrabbit:jackrabbit-corefrom 0, < 2.0.6
References (16)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1833
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-1833
- PATCHhttps://github.com/apache/jackrabbit
- WEBhttp://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- WEBhttp://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- WEBhttps://github.com/apache/jackrabbit/commit/17e9f68f5a3f05ded20569777a7b07422680612d
- WEBhttps://github.com/apache/jackrabbit/commit/26e601934d0f439f0a61d62265f52936d79df40d
- WEBhttps://github.com/apache/jackrabbit/commit/3903739363b79deb7579802fbc27b9b7448218b2
- WEBhttps://github.com/apache/jackrabbit/commit/6191b366c607e65325a0116097aca8a359b36486
- WEBhttps://github.com/apache/jackrabbit/commit/89c5c4ed6ab250ad609829517f167d2dbe0abdd0
- WEBhttps://github.com/apache/jackrabbit/commit/b7fa1ae39641936872617ff95363353b0345b777
- WEBhttps://github.com/apache/jackrabbit/commit/ddf9a3cd408397d0805917299c4114b09449373d
- WEBhttps://issues.apache.org/jira/browse/JCR-3883
- WEBhttps://www.exploit-db.com/exploits/37110
- WEBhttp://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- WEBhttp://www.debian.org/security/2015/dsa-3298