Vulnerability Details CVE-2015-1833
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.347
EPSS Ranking 96.8%
CVSS Severity
CVSS v2 Score 6.4
References
- http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- http://www.debian.org/security/2015/dsa-3298
- http://www.securityfocus.com/archive/1/535582/100/0/threaded
- http://www.securityfocus.com/bid/74761
- https://issues.apache.org/jira/browse/JCR-3883
- https://www.exploit-db.com/exploits/37110/
- http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- http://www.debian.org/security/2015/dsa-3298
- http://www.securityfocus.com/archive/1/535582/100/0/threaded
- http://www.securityfocus.com/bid/74761
- https://issues.apache.org/jira/browse/JCR-3883
- https://www.exploit-db.com/exploits/37110/
Products affected by CVE-2015-1833
-
cpe:2.3:a:apache:jackrabbit:1.4
-
cpe:2.3:a:apache:jackrabbit:1.5.0
-
cpe:2.3:a:apache:jackrabbit:2.0.5
-
cpe:2.3:a:apache:jackrabbit:2.10.0
-
cpe:2.3:a:apache:jackrabbit:2.2.0
-
cpe:2.3:a:apache:jackrabbit:2.2.1
-
cpe:2.3:a:apache:jackrabbit:2.2.10
-
cpe:2.3:a:apache:jackrabbit:2.2.11
-
cpe:2.3:a:apache:jackrabbit:2.2.12
-
cpe:2.3:a:apache:jackrabbit:2.2.13
-
cpe:2.3:a:apache:jackrabbit:2.2.2
-
cpe:2.3:a:apache:jackrabbit:2.2.4
-
cpe:2.3:a:apache:jackrabbit:2.2.5
-
cpe:2.3:a:apache:jackrabbit:2.2.7
-
cpe:2.3:a:apache:jackrabbit:2.2.8
-
cpe:2.3:a:apache:jackrabbit:2.2.9
-
cpe:2.3:a:apache:jackrabbit:2.4.0
-
cpe:2.3:a:apache:jackrabbit:2.4.1
-
cpe:2.3:a:apache:jackrabbit:2.4.2
-
cpe:2.3:a:apache:jackrabbit:2.4.3
-
cpe:2.3:a:apache:jackrabbit:2.4.4
-
cpe:2.3:a:apache:jackrabbit:2.4.5
-
cpe:2.3:a:apache:jackrabbit:2.6.0
-
cpe:2.3:a:apache:jackrabbit:2.6.1
-
cpe:2.3:a:apache:jackrabbit:2.6.2
-
cpe:2.3:a:apache:jackrabbit:2.6.3
-
cpe:2.3:a:apache:jackrabbit:2.6.4
-
cpe:2.3:a:apache:jackrabbit:2.6.5
-
cpe:2.3:a:apache:jackrabbit:2.8.0