GitHub Advisory DatabaseGHSA-9284-J4C9-779QImproper Input Validation in Apache Jackrabbit
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.019 Low
EPSS
Percentile
88.6%
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Affected configurations
References
mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
www.debian.org/security/2015/dsa-3298
github.com/advisories/GHSA-9284-j4c9-779q
github.com/apache/jackrabbit/commit/17e9f68f5a3f05ded20569777a7b07422680612d
github.com/apache/jackrabbit/commit/26e601934d0f439f0a61d62265f52936d79df40d
github.com/apache/jackrabbit/commit/3903739363b79deb7579802fbc27b9b7448218b2
github.com/apache/jackrabbit/commit/6191b366c607e65325a0116097aca8a359b36486
github.com/apache/jackrabbit/commit/89c5c4ed6ab250ad609829517f167d2dbe0abdd0
github.com/apache/jackrabbit/commit/b7fa1ae39641936872617ff95363353b0345b777
github.com/apache/jackrabbit/commit/ddf9a3cd408397d0805917299c4114b09449373d
issues.apache.org/jira/browse/JCR-3883
nvd.nist.gov/vuln/detail/CVE-2015-1833
www.exploit-db.com/exploits/37110
Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.019 Low
EPSS
Percentile
88.6%