CVE-2015-1833

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.4 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
apachejackrabbit
𝑥
≤ 2.0.5
apachejackrabbit
2.2.0
apachejackrabbit
2.2.1
apachejackrabbit
2.2.2
apachejackrabbit
2.2.4
apachejackrabbit
2.2.5
apachejackrabbit
2.2.7
apachejackrabbit
2.2.8
apachejackrabbit
2.2.9
apachejackrabbit
2.2.10
apachejackrabbit
2.2.11
apachejackrabbit
2.2.12
apachejackrabbit
2.2.13
apachejackrabbit
2.4.0
apachejackrabbit
2.4.1
apachejackrabbit
2.4.2
apachejackrabbit
2.4.3
apachejackrabbit
2.4.4
apachejackrabbit
2.4.5
apachejackrabbit
2.6.0
apachejackrabbit
2.6.1
apachejackrabbit
2.6.2
apachejackrabbit
2.6.3
apachejackrabbit
2.6.4
apachejackrabbit
2.6.5
apachejackrabbit
2.8.0
apachejackrabbit
2.10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jackrabbit
bullseye
2.18.0+r2.14.6-1
fixed
bookworm
2.20.3-1
fixed
sid
2.20.11-1
fixed
trixie
2.20.11-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jackrabbit
vivid
Fixed 2.3.6-1+deb8u1build0.15.04.1
released
utopic
Fixed 2.3.6-1+deb8u1build0.14.10.1
released
trusty
Fixed 2.3.6-1+deb8u1build0.14.04.1
released
precise
dne
Common Weakness Enumeration
References
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://www.exploit-db.com/exploits/37110/