CVE-2025-53689
HIGH8.8EPSS 0.21%Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build
發布日:2025/7/14修改日:2025/11/5
描述
Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
受影響套件(3)
- Debian/jackrabbitfrom 0
- Maven/org.apache.jackrabbit:jackrabbit-core>= 2.23.0-beta, < 2.23.2-beta
- Maven/org.apache.jackrabbit:jackrabbit-spi-commons>= 2.20.0, < 2.20.17
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53689
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-53689
- PATCHhttps://github.com/apache/jackrabbit
- WEBhttps://github.com/apache/jackrabbit/pull/263/commits/02786c0a01838580252bdab79bfa54026c30294e
- WEBhttps://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
- WEBhttp://www.openwall.com/lists/oss-security/2025/07/14/1