CVE-2015-1833

EUVD-2022-3268
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
apachejackrabbit
𝑥
≤ 2.0.5
apachejackrabbit
2.2.0
apachejackrabbit
2.2.1
apachejackrabbit
2.2.2
apachejackrabbit
2.2.4
apachejackrabbit
2.2.5
apachejackrabbit
2.2.7
apachejackrabbit
2.2.8
apachejackrabbit
2.2.9
apachejackrabbit
2.2.10
apachejackrabbit
2.2.11
apachejackrabbit
2.2.12
apachejackrabbit
2.2.13
apachejackrabbit
2.4.0
apachejackrabbit
2.4.1
apachejackrabbit
2.4.2
apachejackrabbit
2.4.3
apachejackrabbit
2.4.4
apachejackrabbit
2.4.5
apachejackrabbit
2.6.0
apachejackrabbit
2.6.1
apachejackrabbit
2.6.2
apachejackrabbit
2.6.3
apachejackrabbit
2.6.4
apachejackrabbit
2.6.5
apachejackrabbit
2.8.0
apachejackrabbit
2.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackrabbit
bookworm
2.20.3-1
fixed
bullseye
2.18.0+r2.14.6-1
fixed
sid
2.20.11-1
fixed
trixie
2.20.11-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackrabbit
precise
dne
trusty
Fixed 2.3.6-1+deb8u1build0.14.04.1
released
utopic
Fixed 2.3.6-1+deb8u1build0.14.10.1
released
vivid
Fixed 2.3.6-1+deb8u1build0.15.04.1
released
Common Weakness Enumeration
References
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/