CVE-2015-1833

描述

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

受影響套件(3)

• Debian/jackrabbitfrom 0, < 2.10.1-1
• Debian/jackrabbitfrom 0, < 2.3.6-1+deb7u1
• Maven/org.apache.jackrabbit:jackrabbit-corefrom 0, < 2.0.6

參考連結(16)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1833
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-1833
• PATCHhttps://github.com/apache/jackrabbit
• WEBhttp://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
• WEBhttp://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
• WEBhttps://github.com/apache/jackrabbit/commit/17e9f68f5a3f05ded20569777a7b07422680612d
• WEBhttps://github.com/apache/jackrabbit/commit/26e601934d0f439f0a61d62265f52936d79df40d
• WEBhttps://github.com/apache/jackrabbit/commit/3903739363b79deb7579802fbc27b9b7448218b2
• WEBhttps://github.com/apache/jackrabbit/commit/6191b366c607e65325a0116097aca8a359b36486
• WEBhttps://github.com/apache/jackrabbit/commit/89c5c4ed6ab250ad609829517f167d2dbe0abdd0
• WEBhttps://github.com/apache/jackrabbit/commit/b7fa1ae39641936872617ff95363353b0345b777
• WEBhttps://github.com/apache/jackrabbit/commit/ddf9a3cd408397d0805917299c4114b09449373d
• WEBhttps://issues.apache.org/jira/browse/JCR-3883
• WEBhttps://www.exploit-db.com/exploits/37110
• WEBhttp://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
• WEBhttp://www.debian.org/security/2015/dsa-3298