Description
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
Scores
CVSS v3
8.8
EPSS
0.0047
EPSS Percentile
36.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-611
Status
published
Products (6)
apache/jackrabbit
2.22.0
apache/jackrabbit
2.23.0 beta
apache/jackrabbit
2.23.1 beta
apache/jackrabbit
2.20.0 - 2.20.17
org.apache.jackrabbit/jackrabbit-core
2.23.0-beta - 2.23.2-betaMaven
org.apache.jackrabbit/jackrabbit-spi-commons
2.20.0 - 2.20.17Maven
Published
Jul 14, 2025
Tracked Since
Feb 18, 2026