CVE-2015-1833

Apache Jackrabbit < 2.0.5 - Improper Input Validation

Title source: rule

Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Exploits (1)

exploitdb WORKING POC

by Mikhail Egorov · pythonwebappsjava

https://www.exploit-db.com/exploits/37110

View Code ZIP pw:eip

References (8)

[Vendor Advisory] http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

[Vendor Advisory] http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

[Vendor Advisory] https://issues.apache.org/jira/browse/JCR-3883

[Exploit] https://www.exploit-db.com/exploits/37110/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/535582/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/74761

[Third Party Advisory] http://www.debian.org/security/2015/dsa-3298

Scores

EPSS 0.3103

EPSS Percentile 96.8%

Details

CWE

CWE-20

Status published

Products (28)

apache/jackrabbit 2.2.0

apache/jackrabbit 2.2.1

apache/jackrabbit 2.2.2

apache/jackrabbit 2.2.4

apache/jackrabbit 2.2.5

apache/jackrabbit 2.2.7

apache/jackrabbit 2.2.8

apache/jackrabbit 2.2.9

apache/jackrabbit 2.2.10

apache/jackrabbit 2.2.11

... and 18 more

Published May 29, 2015

Tracked Since Feb 18, 2026