Search criteria
2 vulnerabilities found for Apache Jackrabbit by Apache Software Foundation
CVE-2025-53689 (GCVE-0-2025-53689)
Vulnerability from cvelistv5 – Published: 2025-07-14 09:15 – Updated: 2025-11-04 21:12
VLAI?
Summary
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
Severity ?
No CVSS data available.
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit |
Affected:
2.20.0 , < 2.20.17
(maven)
Affected: 2.22.0 , < 2.22.1 (maven) Affected: 2.23.0-beta , < 2.23.2-beta (maven) |
Credits
Lars Krapf - Adobe
Dylan Pindur - Assetnote
Adam Kues - Assetnote
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T15:45:32.467940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T15:46:20.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:33.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/14/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-spi-commons",
"product": "Apache Jackrabbit",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.20.17",
"status": "affected",
"version": "2.20.0",
"versionType": "maven"
},
{
"lessThan": "2.22.1",
"status": "affected",
"version": "2.22.0",
"versionType": "maven"
},
{
"lessThan": "2.23.2-beta",
"status": "affected",
"version": "2.23.0-beta",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Lars Krapf - Adobe"
},
{
"lang": "en",
"type": "finder",
"value": "Dylan Pindur - Assetnote"
},
{
"lang": "en",
"type": "finder",
"value": "Adam Kues - Assetnote"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u0026lt; 2.23.2 due to usage of an unsecured document build to load privileges.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u003c 2.23.2 due to usage of an unsecured document build to load privileges.\n\nUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T09:15:38.863Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-53689",
"datePublished": "2025-07-14T09:15:38.863Z",
"dateReserved": "2025-07-08T10:21:17.361Z",
"dateUpdated": "2025-11-04T21:12:33.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53689 (GCVE-0-2025-53689)
Vulnerability from nvd – Published: 2025-07-14 09:15 – Updated: 2025-11-04 21:12
VLAI?
Summary
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
Severity ?
No CVSS data available.
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit |
Affected:
2.20.0 , < 2.20.17
(maven)
Affected: 2.22.0 , < 2.22.1 (maven) Affected: 2.23.0-beta , < 2.23.2-beta (maven) |
Credits
Lars Krapf - Adobe
Dylan Pindur - Assetnote
Adam Kues - Assetnote
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T15:45:32.467940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T15:46:20.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:33.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/14/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-spi-commons",
"product": "Apache Jackrabbit",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.20.17",
"status": "affected",
"version": "2.20.0",
"versionType": "maven"
},
{
"lessThan": "2.22.1",
"status": "affected",
"version": "2.22.0",
"versionType": "maven"
},
{
"lessThan": "2.23.2-beta",
"status": "affected",
"version": "2.23.0-beta",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Lars Krapf - Adobe"
},
{
"lang": "en",
"type": "finder",
"value": "Dylan Pindur - Assetnote"
},
{
"lang": "en",
"type": "finder",
"value": "Adam Kues - Assetnote"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u0026lt; 2.23.2 due to usage of an unsecured document build to load privileges.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u003c 2.23.2 due to usage of an unsecured document build to load privileges.\n\nUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T09:15:38.863Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-53689",
"datePublished": "2025-07-14T09:15:38.863Z",
"dateReserved": "2025-07-08T10:21:17.361Z",
"dateUpdated": "2025-11-04T21:12:33.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}