Search criteria
18 vulnerabilities found for jackrabbit by apache
FKIE_CVE-2025-58782
Vulnerability from fkie_nvd - Published: 2025-09-08 09:15 - Updated: 2025-11-19 16:17
Severity ?
Summary
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.
This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.
Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2025/09/06/3 | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jackrabbit | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AD40389-2C1F-4C5D-B443-0400AE863BC7",
"versionEndExcluding": "2.22.2",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\n\nThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\n\nDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.\nUsers are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup."
}
],
"id": "CVE-2025-58782",
"lastModified": "2025-11-19T16:17:33.997",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-08T09:15:30.367",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2025/09/06/3"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-53689
Vulnerability from fkie_nvd - Published: 2025-07-14 10:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jackrabbit | * | |
| apache | jackrabbit | 2.22.0 | |
| apache | jackrabbit | 2.23.0 | |
| apache | jackrabbit | 2.23.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D46FDED7-5B8A-4439-B5C9-A4A7C8AD364E",
"versionEndExcluding": "2.20.17",
"versionStartIncluding": "2.20.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.22.0:*:*:*:*:*:*:*",
"matchCriteriaId": "391DCFCA-4A56-47B8-BE4E-9B218949B029",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.23.0:beta:*:*:*:*:*:*",
"matchCriteriaId": "1D89D873-60D1-4B52-8E5B-1B07FFC8FB36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.23.1:beta:*:*:*:*:*:*",
"matchCriteriaId": "A7D1330F-1055-4CA6-A5E8-0A841FF29978",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u003c 2.23.2 due to usage of an unsecured document build to load privileges.\n\nUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
},
{
"lang": "es",
"value": "Vulnerabilidades Blind XXE en jackrabbit-spi-commons y jackrabbit-core en Apache Jackrabbit anterior a la versi\u00f3n 2.23.2 debido al uso de una compilaci\u00f3n de documento no segura para cargar privilegios. Se recomienda a los usuarios actualizar a las versiones 2.20.17 (Java 8), 2.22.1 (Java 11) o 2.23.2 (Java 11, versiones beta), que solucionan este problema. Las versiones anteriores (hasta la 2.20.16) ya no son compatibles, por lo que los usuarios deben actualizar a la versi\u00f3n compatible correspondiente."
}
],
"id": "CVE-2025-53689",
"lastModified": "2025-11-04T22:16:26.263",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-14T10:15:28.587",
"references": [
{
"source": "security@apache.org",
"tags": [
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/07/14/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-37895
Vulnerability from fkie_nvd - Published: 2023-07-25 15:15 - Updated: 2025-02-13 17:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI.
Users are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.
In general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.
How to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.
The native RMI protocol by default uses port 1099. To check whether it is enabled, tools like "netstat" can be used to check.
RMI-over-HTTP in Jackrabbit by default uses the path "/rmi". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user's control.
Turning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:
<servlet>
<servlet-name>RMI</servlet-name>
<servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RMI</servlet-name>
<url-pattern>/rmi</url-pattern>
</servlet-mapping>
Find the bootstrap.properties file (in $REPOSITORY_HOME), and set
rmi.enabled=false
and also remove
rmi.host
rmi.port
rmi.url-pattern
If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://seclists.org/fulldisclosure/2023/Jul/43 | Broken Link | |
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/07/25/8 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/list.html?users@jackrabbit.apache.org | Mailing List, Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2023/Jul/43 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/07/25/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/list.html?users@jackrabbit.apache.org | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw | Mailing List, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jackrabbit | * | |
| apache | jackrabbit | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69090D07-B142-4C49-83D7-DE36BB67E651",
"versionEndExcluding": "2.20.11",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "84FA947F-7360-4740-BDB5-046A8D67394D",
"versionEndExcluding": "2.21.18",
"versionStartIncluding": "2.21.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component \"commons-beanutils\", which contains a class that can be used for remote code execution over RMI.\n\nUsers are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.\n\nIn general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.\n\nHow to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.\n\nThe native RMI protocol by default uses port 1099. To check whether it is enabled, tools like \"netstat\" can be used to check.\n\nRMI-over-HTTP in Jackrabbit by default uses the path \"/rmi\". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user\u0027s control.\n\nTurning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-name\u003eRMI\u003c/servlet-name\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-class\u003eorg.apache.jackrabbit.servlet.remote.RemoteBindingServlet\u003c/servlet-class\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u003c/servlet\u003e\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-mapping\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-name\u003eRMI\u003c/servlet-name\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003curl-pattern\u003e/rmi\u003c/url-pattern\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u003c/servlet-mapping\u003e\n\nFind the bootstrap.properties file (in $REPOSITORY_HOME), and set\n\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.enabled=false\n\n\u00a0 \u00a0 and also remove\n\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.host\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.port\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.url-pattern\n\n\u00a0If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained."
}
],
"id": "CVE-2023-37895",
"lastModified": "2025-02-13T17:16:46.300",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-07-25T15:15:13.587",
"references": [
{
"source": "security@apache.org",
"tags": [
"Broken Link"
],
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/8"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Primary"
}
]
}
FKIE_CVE-2016-6801
Vulnerability from fkie_nvd - Published: 2016-09-21 14:25 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2016/dsa-3679 | Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/09/14/6 | Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/92966 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://issues.apache.org/jira/browse/JCR-4009 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2016/dsa-3679 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/09/14/6 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92966 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.apache.org/jira/browse/JCR-4009 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jackrabbit | 2.4.0 | |
| apache | jackrabbit | 2.4.1 | |
| apache | jackrabbit | 2.4.2 | |
| apache | jackrabbit | 2.4.3 | |
| apache | jackrabbit | 2.4.4 | |
| apache | jackrabbit | 2.4.5 | |
| apache | jackrabbit | 2.6.0 | |
| apache | jackrabbit | 2.6.1 | |
| apache | jackrabbit | 2.6.2 | |
| apache | jackrabbit | 2.6.3 | |
| apache | jackrabbit | 2.6.4 | |
| apache | jackrabbit | 2.6.5 | |
| apache | jackrabbit | 2.8.0 | |
| apache | jackrabbit | 2.8.1 | |
| apache | jackrabbit | 2.8.2 | |
| apache | jackrabbit | 2.10.0 | |
| apache | jackrabbit | 2.10.1 | |
| apache | jackrabbit | 2.10.2 | |
| apache | jackrabbit | 2.10.3 | |
| apache | jackrabbit | 2.12.0 | |
| apache | jackrabbit | 2.12.1 | |
| apache | jackrabbit | 2.12.2 | |
| apache | jackrabbit | 2.12.3 | |
| apache | jackrabbit | 2.13.0 | |
| apache | jackrabbit | 2.13.1 | |
| apache | jackrabbit | 2.13.2 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "765A2672-88CB-40B6-811A-9F4FB503B9A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AA4CC344-B6B9-48A9-8464-73486964F484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E361D843-4697-4478-BE2B-4C4E07DC420D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "16B89FBF-D0D6-4126-9DBB-80E8DFE630EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B190B1F0-4EAD-48EE-A894-B776537A2ECA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "93B767E2-4E1E-4AF6-BF65-C07769DE88C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C1C9DD4F-690E-4627-8C20-4931E5039D95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ACED7AF6-383C-4038-9823-BD5F2F054011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CFAABB-1E6D-40A4-AE3E-A36A8627CE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F83F02AC-0A32-4949-9EF8-2D3BC3272B08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "21C97A68-5B82-4830-80A9-33052E73A9A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D11B4EE2-94EB-4CF3-9E4C-5F0BF86080E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FDD80948-AE24-4CA7-97C0-8017E5504A70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B8297A-D8B8-4A16-B661-48B5147211A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1BE8AA33-D15D-4617-AB8E-FFD8D7A1D6A4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "09FE0F9B-6342-4C92-9EC5-561AAAC2034A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5624972E-EF0F-4ECC-A5D0-D4B992072ED1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F771AB3A-D171-4B8D-BB6C-EB5F6641292D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "ACA85218-EC15-4D79-B7E9-951E2F2FCEB4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4FB2EA72-C202-45E1-8D60-2DD25BE81A4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "45475992-E9B3-4FA1-AAF9-78C17203141D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC876E9-B7C7-456E-A03B-4555315F9A2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.12.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0A4E1550-2D19-4BF8-8A88-01240AE1E7ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E1B85ECB-6154-4F87-91F1-380CAD5934F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D1A0F6DE-ECE3-46C0-AD91-AED29A9B166D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AA678B1D-A448-4EBA-8B90-2913BA8D30ED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en la verificaci\u00f3n de tipo de contenido CSRF en Jackrabbit-Webdav en Apache Jackrabbit 2.4.x en versiones anteriores a 2.4.6, 2.6.x en versiones anteriores a 2.6.6, 2.8.x en versiones anteriores a 2.8.3, 2.10.x en versiones anteriores a 2.10.4, 2.12.x en versiones anteriores a 2.12.4 y 2.13.x en versiones anteriores a 2.13.3 permite a atacantes remotos secuestrar la autenticaci\u00f3n de v\u00edctimas no especificadas para peticiones que crean un recurso a trav\u00e9s de una petici\u00f3n HTTP POST con una (1) p\u00e9rdida o (2) cabecera Content-Type manipulada."
}
],
"id": "CVE-2016-6801",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-09-21T14:25:21.737",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92966"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/JCR-4009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/92966"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/JCR-4009"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-1833
Vulnerability from fkie_nvd - Published: 2015-05-29 15:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jackrabbit | * | |
| apache | jackrabbit | 2.2.0 | |
| apache | jackrabbit | 2.2.1 | |
| apache | jackrabbit | 2.2.2 | |
| apache | jackrabbit | 2.2.4 | |
| apache | jackrabbit | 2.2.5 | |
| apache | jackrabbit | 2.2.7 | |
| apache | jackrabbit | 2.2.8 | |
| apache | jackrabbit | 2.2.9 | |
| apache | jackrabbit | 2.2.10 | |
| apache | jackrabbit | 2.2.11 | |
| apache | jackrabbit | 2.2.12 | |
| apache | jackrabbit | 2.2.13 | |
| apache | jackrabbit | 2.4.0 | |
| apache | jackrabbit | 2.4.1 | |
| apache | jackrabbit | 2.4.2 | |
| apache | jackrabbit | 2.4.3 | |
| apache | jackrabbit | 2.4.4 | |
| apache | jackrabbit | 2.4.5 | |
| apache | jackrabbit | 2.6.0 | |
| apache | jackrabbit | 2.6.1 | |
| apache | jackrabbit | 2.6.2 | |
| apache | jackrabbit | 2.6.3 | |
| apache | jackrabbit | 2.6.4 | |
| apache | jackrabbit | 2.6.5 | |
| apache | jackrabbit | 2.8.0 | |
| apache | jackrabbit | 2.10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BCA488EB-6AEF-4C3B-B9EC-0269E4C16B8F",
"versionEndIncluding": "2.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EE38C192-C0E9-4F30-A4F2-9D4645F76502",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "82E60C57-AC1E-41DC-9B19-7AC1166DC8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AECF5291-3FDC-431D-9315-F594AD312B9C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DD5A9474-5FBC-43CF-824A-F5854FC765BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "34E6CC63-EA31-4E7E-ABA8-7EB135C95EBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F7CB306C-90E2-479A-88F4-8A7BE952FC86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "428DB1B1-8640-4A3D-8582-940B91B75B4D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1A7E3CB1-A333-43F8-B5F8-B39844D0FD3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "BFAFC7B2-8421-4E21-9EC1-11FF17456C5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "1B7161CD-E03A-4A2C-9048-3765D82DF35E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "5695D7A0-35D6-4780-8D07-67FD6270057F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "AAC1D0EF-7B96-4DB3-9925-0F872AF092EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "765A2672-88CB-40B6-811A-9F4FB503B9A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "AA4CC344-B6B9-48A9-8464-73486964F484",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E361D843-4697-4478-BE2B-4C4E07DC420D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "16B89FBF-D0D6-4126-9DBB-80E8DFE630EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B190B1F0-4EAD-48EE-A894-B776537A2ECA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "93B767E2-4E1E-4AF6-BF65-C07769DE88C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C1C9DD4F-690E-4627-8C20-4931E5039D95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ACED7AF6-383C-4038-9823-BD5F2F054011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A7CFAABB-1E6D-40A4-AE3E-A36A8627CE7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F83F02AC-0A32-4949-9EF8-2D3BC3272B08",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "21C97A68-5B82-4830-80A9-33052E73A9A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "D11B4EE2-94EB-4CF3-9E4C-5F0BF86080E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FDD80948-AE24-4CA7-97C0-8017E5504A70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "09FE0F9B-6342-4C92-9EC5-561AAAC2034A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."
},
{
"lang": "es",
"value": "Vulnerabilidad de entidad externa XML (XXE) en Apache Jackrabbit anterior a 2.0.6, 2.2.x anterior a 2.2.14, 2.4.x anterior a 2.4.6, 2.6.x anterior a 2.6.6, 2.8.x anterior a 2.8.1, y 2.10.x anterior a 2.10.1 permite a atacantes remotos leer ficheros arbitrarios y enviar solicitudes a servicios de intranet a trav\u00e9s de una solicitud WebDAV manipulada."
}
],
"id": "CVE-2015-1833",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-05-29T15:59:13.063",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"source": "secalert@redhat.com",
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/74761"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/37110/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74761"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/37110/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2009-0026
Vulnerability from fkie_nvd - Published: 2009-01-21 20:30 - Updated: 2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | jackrabbit | 1.4 | |
| apache | jackrabbit | 1.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jackrabbit:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6BFB91B7-F3A0-4C57-86B6-03E93B11FF33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:jackrabbit:1.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BF0BCD7D-8C64-49D4-B2E6-FC4C9F702483",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp."
},
{
"lang": "es",
"value": "Multiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en Apache Jackrabbit anterior a v1.5.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del parametro \"q\" a (1) search.jsp o (2) swr.jsp."
}
],
"id": "CVE-2009-0026",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2009-01-21T20:30:00.390",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33576"
},
{
"source": "secalert@redhat.com",
"url": "http://securityreason.com/securityalert/4942"
},
{
"source": "secalert@redhat.com",
"url": "http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/archive/1/500196/100/0/threaded"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33360"
},
{
"source": "secalert@redhat.com",
"url": "http://www.vupen.com/english/advisories/2009/0177"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48110"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/JCR-1925"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/33576"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4942"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/500196/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/33360"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2009/0177"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48110"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/JCR-1925"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-58782 (GCVE-0-2025-58782)
Vulnerability from cvelistv5 – Published: 2025-09-08 08:53 – Updated: 2025-11-04 21:13
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.
This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.
Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit Core |
Affected:
1.0.0 , ≤ 2.22.1
(semver)
|
|||||||
|
|||||||||
Credits
James John
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T19:54:59.077889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T19:55:17.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:47.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/06/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-core",
"product": "Apache Jackrabbit Core",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.22.1",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-jcr-commons",
"product": "Apache Jackrabbit JCR Commons",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.22.1",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "James John"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\u003c/p\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\n\nThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\n\nDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.\nUsers are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T08:53:15.818Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v"
}
],
"source": {
"defect": [
"JCR-5135"
],
"discovery": "EXTERNAL"
},
"title": "Apache Jackrabbit Core, Apache Jackrabbit JCR Commons: JNDI injection risk with JndiRepositoryFactory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-58782",
"datePublished": "2025-09-08T08:53:15.818Z",
"dateReserved": "2025-09-05T10:47:24.915Z",
"dateUpdated": "2025-11-04T21:13:47.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53689 (GCVE-0-2025-53689)
Vulnerability from cvelistv5 – Published: 2025-07-14 09:15 – Updated: 2025-11-04 21:12
VLAI?
Summary
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
Severity ?
No CVSS data available.
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit |
Affected:
2.20.0 , < 2.20.17
(maven)
Affected: 2.22.0 , < 2.22.1 (maven) Affected: 2.23.0-beta , < 2.23.2-beta (maven) |
Credits
Lars Krapf - Adobe
Dylan Pindur - Assetnote
Adam Kues - Assetnote
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T15:45:32.467940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T15:46:20.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:33.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/14/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-spi-commons",
"product": "Apache Jackrabbit",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.20.17",
"status": "affected",
"version": "2.20.0",
"versionType": "maven"
},
{
"lessThan": "2.22.1",
"status": "affected",
"version": "2.22.0",
"versionType": "maven"
},
{
"lessThan": "2.23.2-beta",
"status": "affected",
"version": "2.23.0-beta",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Lars Krapf - Adobe"
},
{
"lang": "en",
"type": "finder",
"value": "Dylan Pindur - Assetnote"
},
{
"lang": "en",
"type": "finder",
"value": "Adam Kues - Assetnote"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u0026lt; 2.23.2 due to usage of an unsecured document build to load privileges.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u003c 2.23.2 due to usage of an unsecured document build to load privileges.\n\nUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T09:15:38.863Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-53689",
"datePublished": "2025-07-14T09:15:38.863Z",
"dateReserved": "2025-07-08T10:21:17.361Z",
"dateUpdated": "2025-11-04T21:12:33.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-37895 (GCVE-0-2023-37895)
Vulnerability from cvelistv5 – Published: 2023-07-25 14:02 – Updated: 2025-02-13 17:01
VLAI?
Summary
Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI.
Users are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.
In general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.
How to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.
The native RMI protocol by default uses port 1099. To check whether it is enabled, tools like "netstat" can be used to check.
RMI-over-HTTP in Jackrabbit by default uses the path "/rmi". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user's control.
Turning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:
<servlet>
<servlet-name>RMI</servlet-name>
<servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RMI</servlet-name>
<url-pattern>/rmi</url-pattern>
</servlet-mapping>
Find the bootstrap.properties file (in $REPOSITORY_HOME), and set
rmi.enabled=false
and also remove
rmi.host
rmi.port
rmi.url-pattern
If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit Webapp (jackrabbit-webapp) |
Affected:
2.21.0 , < 2.21.18
(maven)
Affected: 1.0.0 , < 2.20.11 (maven) |
|||||||
|
|||||||||
Credits
Siebene@
Michael Dürig
Manfred Baedke
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackrabbit",
"vendor": "apache",
"versions": [
{
"lessThan": "2.20.11",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "2.21.18",
"status": "affected",
"version": "2.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-37895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:25:04.351171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:34:47.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jackrabbit Webapp (jackrabbit-webapp)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.21.18",
"status": "affected",
"version": "2.21.0",
"versionType": "maven"
},
{
"lessThan": "2.20.11",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Jackrabbit Standalone (jackrabbit-standalone and jackrabbit-standalone-components)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.21.18",
"status": "affected",
"version": "2.21.0",
"versionType": "maven"
},
{
"lessThan": "2.20.11",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Siebene@"
},
{
"lang": "en",
"type": "other",
"value": "Michael D\u00fcrig"
},
{
"lang": "en",
"type": "other",
"value": "Manfred Baedke"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch1\u003eJava object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMI\u003c/h1\u003e\u003cdiv\u003eVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component \"commons-beanutils\", which contains a class that can be used for remote code execution over RMI.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUsers are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.\u003cbr\u003e\u003cbr\u003eIn general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.\u003cbr\u003e\u003c/div\u003e\u003ch2\u003eHow to check whether RMI support is enabled\u003c/h2\u003e\u003cdiv\u003eRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe native RMI protocol by default uses port 1099. To check whether it is enabled, tools like \"netstat\" can be used to check.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eRMI-over-HTTP in Jackrabbit by default uses the path \"/rmi\". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user\u0027s control.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003ch2\u003eTurning off RMI\u003c/h2\u003e\u003cdiv\u003eFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-name\u0026gt;RMI\u0026lt;/servlet-name\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-class\u0026gt;org.apache.jackrabbit.servlet.remote.RemoteBindingServlet\u0026lt;/servlet-class\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;/servlet\u0026gt;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-mapping\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-name\u0026gt;RMI\u0026lt;/servlet-name\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;url-pattern\u0026gt;/rmi\u0026lt;/url-pattern\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;/servlet-mapping\u0026gt;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eFind the bootstrap.properties file (in $REPOSITORY_HOME), and set\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.enabled=false\u003cbr\u003e\u003cbr\u003e\u0026nbsp; \u0026nbsp; and also remove\u003cbr\u003e\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.host\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.port\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.url-pattern\u003cbr\u003e\u003cbr\u003e\u0026nbsp;If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component \"commons-beanutils\", which contains a class that can be used for remote code execution over RMI.\n\nUsers are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.\n\nIn general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.\n\nHow to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.\n\nThe native RMI protocol by default uses port 1099. To check whether it is enabled, tools like \"netstat\" can be used to check.\n\nRMI-over-HTTP in Jackrabbit by default uses the path \"/rmi\". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user\u0027s control.\n\nTurning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-name\u003eRMI\u003c/servlet-name\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-class\u003eorg.apache.jackrabbit.servlet.remote.RemoteBindingServlet\u003c/servlet-class\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u003c/servlet\u003e\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-mapping\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-name\u003eRMI\u003c/servlet-name\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003curl-pattern\u003e/rmi\u003c/url-pattern\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u003c/servlet-mapping\u003e\n\nFind the bootstrap.properties file (in $REPOSITORY_HOME), and set\n\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.enabled=false\n\n\u00a0 \u00a0 and also remove\n\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.host\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.port\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.url-pattern\n\n\u00a0If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-26T06:06:14.830Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-06-30T02:00:00.000Z",
"value": "Reported"
},
{
"lang": "en",
"time": "2023-07-20T00:00:00.000Z",
"value": "Release vote for unstable branch with fix"
},
{
"lang": "en",
"time": "2023-07-20T00:00:00.000Z",
"value": "Release vote for stable branch with fix"
},
{
"lang": "en",
"time": "2023-07-24T19:00:00.000Z",
"value": "unstable branch (2.21.18) released"
},
{
"lang": "en",
"time": "2023-07-24T21:00:00.000Z",
"value": "stable branch (2.20.11) released"
}
],
"title": "Apache Jackrabbit RMI access can lead to RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-37895",
"datePublished": "2023-07-25T14:02:10.036Z",
"dateReserved": "2023-07-10T17:49:13.901Z",
"dateUpdated": "2025-02-13T17:01:36.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6801 (GCVE-0-2016-6801)
Vulnerability from cvelistv5 – Published: 2016-09-21 14:00 – Updated: 2024-08-06 01:43
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160914 CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"name": "DSA-3679",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/JCR-4009"
},
{
"name": "92966",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92966"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-09-29T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160914 CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"name": "DSA-3679",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/JCR-4009"
},
{
"name": "92966",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92966"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160914 CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"name": "DSA-3679",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"name": "https://issues.apache.org/jira/browse/JCR-4009",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/JCR-4009"
},
{
"name": "92966",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92966"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6801",
"datePublished": "2016-09-21T14:00:00",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-08-06T01:43:37.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1833 (GCVE-0-2015-1833)
Vulnerability from cvelistv5 – Published: 2015-05-29 15:00 – Updated: 2024-08-06 04:54
VLAI?
Summary
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:54:16.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3298",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"name": "74761",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74761"
},
{
"name": "37110",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/37110/"
},
{
"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "DSA-3298",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"name": "74761",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74761"
},
{
"name": "37110",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/37110/"
},
{
"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1833",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3298",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"name": "74761",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74761"
},
{
"name": "37110",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/37110/"
},
{
"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"name": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt",
"refsource": "CONFIRM",
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"name": "https://issues.apache.org/jira/browse/JCR-3883",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"name": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1833",
"datePublished": "2015-05-29T15:00:00",
"dateReserved": "2015-02-17T00:00:00",
"dateUpdated": "2024-08-06T04:54:16.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-0026 (GCVE-0-2009-0026)
Vulnerability from cvelistv5 – Published: 2009-01-21 20:00 – Updated: 2024-08-07 04:17
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:17:10.473Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "4942",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4942"
},
{
"name": "20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/500196/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt"
},
{
"name": "jackrabbit-search-swr-xss(48110)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48110"
},
{
"name": "33576",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33576"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/JCR-1925"
},
{
"name": "ADV-2009-0177",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/0177"
},
{
"name": "33360",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/33360"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "4942",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4942"
},
{
"name": "20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/500196/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt"
},
{
"name": "jackrabbit-search-swr-xss(48110)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48110"
},
{
"name": "33576",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33576"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/JCR-1925"
},
{
"name": "ADV-2009-0177",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/0177"
},
{
"name": "33360",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/33360"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-0026",
"datePublished": "2009-01-21T20:00:00",
"dateReserved": "2008-12-15T00:00:00",
"dateUpdated": "2024-08-07T04:17:10.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58782 (GCVE-0-2025-58782)
Vulnerability from nvd – Published: 2025-09-08 08:53 – Updated: 2025-11-04 21:13
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.
This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.
Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit Core |
Affected:
1.0.0 , ≤ 2.22.1
(semver)
|
|||||||
|
|||||||||
Credits
James John
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-58782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T19:54:59.077889Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T19:55:17.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:13:47.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/09/06/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-core",
"product": "Apache Jackrabbit Core",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.22.1",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-jcr-commons",
"product": "Apache Jackrabbit JCR Commons",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.22.1",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "James John"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\u003c/p\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.\u003c/span\u003e\u003cbr\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\n\nThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\n\nDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.\nUsers are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T08:53:15.818Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v"
}
],
"source": {
"defect": [
"JCR-5135"
],
"discovery": "EXTERNAL"
},
"title": "Apache Jackrabbit Core, Apache Jackrabbit JCR Commons: JNDI injection risk with JndiRepositoryFactory",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-58782",
"datePublished": "2025-09-08T08:53:15.818Z",
"dateReserved": "2025-09-05T10:47:24.915Z",
"dateUpdated": "2025-11-04T21:13:47.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53689 (GCVE-0-2025-53689)
Vulnerability from nvd – Published: 2025-07-14 09:15 – Updated: 2025-11-04 21:12
VLAI?
Summary
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.
Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.
Severity ?
No CVSS data available.
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit |
Affected:
2.20.0 , < 2.20.17
(maven)
Affected: 2.22.0 , < 2.22.1 (maven) Affected: 2.23.0-beta , < 2.23.2-beta (maven) |
Credits
Lars Krapf - Adobe
Dylan Pindur - Assetnote
Adam Kues - Assetnote
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-53689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T15:45:32.467940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T15:46:20.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:12:33.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/14/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "org.apache.jackrabbit:jackrabbit-spi-commons",
"product": "Apache Jackrabbit",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.20.17",
"status": "affected",
"version": "2.20.0",
"versionType": "maven"
},
{
"lessThan": "2.22.1",
"status": "affected",
"version": "2.22.0",
"versionType": "maven"
},
{
"lessThan": "2.23.2-beta",
"status": "affected",
"version": "2.23.0-beta",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Lars Krapf - Adobe"
},
{
"lang": "en",
"type": "finder",
"value": "Dylan Pindur - Assetnote"
},
{
"lang": "en",
"type": "finder",
"value": "Adam Kues - Assetnote"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u0026lt; 2.23.2 due to usage of an unsecured document build to load privileges.\u003cbr\u003e\u003cbr\u003eUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"value": "Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit \u003c 2.23.2 due to usage of an unsecured document build to load privileges.\n\nUsers are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T09:15:38.863Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-53689",
"datePublished": "2025-07-14T09:15:38.863Z",
"dateReserved": "2025-07-08T10:21:17.361Z",
"dateUpdated": "2025-11-04T21:12:33.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-37895 (GCVE-0-2023-37895)
Vulnerability from nvd – Published: 2023-07-25 14:02 – Updated: 2025-02-13 17:01
VLAI?
Summary
Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI.
Users are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.
In general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.
How to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.
The native RMI protocol by default uses port 1099. To check whether it is enabled, tools like "netstat" can be used to check.
RMI-over-HTTP in Jackrabbit by default uses the path "/rmi". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user's control.
Turning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:
<servlet>
<servlet-name>RMI</servlet-name>
<servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RMI</servlet-name>
<url-pattern>/rmi</url-pattern>
</servlet-mapping>
Find the bootstrap.properties file (in $REPOSITORY_HOME), and set
rmi.enabled=false
and also remove
rmi.host
rmi.port
rmi.url-pattern
If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Jackrabbit Webapp (jackrabbit-webapp) |
Affected:
2.21.0 , < 2.21.18
(maven)
Affected: 1.0.0 , < 2.20.11 (maven) |
|||||||
|
|||||||||
Credits
Siebene@
Michael Dürig
Manfred Baedke
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/8"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jackrabbit",
"vendor": "apache",
"versions": [
{
"lessThan": "2.20.11",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "2.21.18",
"status": "affected",
"version": "2.21.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-37895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:25:04.351171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:34:47.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jackrabbit Webapp (jackrabbit-webapp)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.21.18",
"status": "affected",
"version": "2.21.0",
"versionType": "maven"
},
{
"lessThan": "2.20.11",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Apache Jackrabbit Standalone (jackrabbit-standalone and jackrabbit-standalone-components)",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.21.18",
"status": "affected",
"version": "2.21.0",
"versionType": "maven"
},
{
"lessThan": "2.20.11",
"status": "affected",
"version": "1.0.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Siebene@"
},
{
"lang": "en",
"type": "other",
"value": "Michael D\u00fcrig"
},
{
"lang": "en",
"type": "other",
"value": "Manfred Baedke"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ch1\u003eJava object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMI\u003c/h1\u003e\u003cdiv\u003eVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component \"commons-beanutils\", which contains a class that can be used for remote code execution over RMI.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUsers are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.\u003cbr\u003e\u003cbr\u003eIn general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.\u003cbr\u003e\u003c/div\u003e\u003ch2\u003eHow to check whether RMI support is enabled\u003c/h2\u003e\u003cdiv\u003eRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe native RMI protocol by default uses port 1099. To check whether it is enabled, tools like \"netstat\" can be used to check.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eRMI-over-HTTP in Jackrabbit by default uses the path \"/rmi\". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user\u0027s control.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003ch2\u003eTurning off RMI\u003c/h2\u003e\u003cdiv\u003eFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-name\u0026gt;RMI\u0026lt;/servlet-name\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-class\u0026gt;org.apache.jackrabbit.servlet.remote.RemoteBindingServlet\u0026lt;/servlet-class\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;/servlet\u0026gt;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-mapping\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;servlet-name\u0026gt;RMI\u0026lt;/servlet-name\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;url-pattern\u0026gt;/rmi\u0026lt;/url-pattern\u0026gt;\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026lt;/servlet-mapping\u0026gt;\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eFind the bootstrap.properties file (in $REPOSITORY_HOME), and set\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.enabled=false\u003cbr\u003e\u003cbr\u003e\u0026nbsp; \u0026nbsp; and also remove\u003cbr\u003e\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.host\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.port\u003cbr\u003e\u0026nbsp; \u0026nbsp; \u0026nbsp; \u0026nbsp; rmi.url-pattern\u003cbr\u003e\u003cbr\u003e\u0026nbsp;If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.\u003cbr\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u0026nbsp;\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component \"commons-beanutils\", which contains a class that can be used for remote code execution over RMI.\n\nUsers are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.\n\nIn general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.\n\nHow to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.\n\nThe native RMI protocol by default uses port 1099. To check whether it is enabled, tools like \"netstat\" can be used to check.\n\nRMI-over-HTTP in Jackrabbit by default uses the path \"/rmi\". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user\u0027s control.\n\nTurning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-name\u003eRMI\u003c/servlet-name\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-class\u003eorg.apache.jackrabbit.servlet.remote.RemoteBindingServlet\u003c/servlet-class\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u003c/servlet\u003e\n\n\u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-mapping\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003cservlet-name\u003eRMI\u003c/servlet-name\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u003curl-pattern\u003e/rmi\u003c/url-pattern\u003e\n\u00a0 \u00a0 \u00a0 \u00a0 \u003c/servlet-mapping\u003e\n\nFind the bootstrap.properties file (in $REPOSITORY_HOME), and set\n\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.enabled=false\n\n\u00a0 \u00a0 and also remove\n\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.host\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.port\n\u00a0 \u00a0 \u00a0 \u00a0 rmi.url-pattern\n\n\u00a0If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained."
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-26T06:06:14.830Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/list.html?users@jackrabbit.apache.org"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Jul/43"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/25/8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2023-06-30T02:00:00.000Z",
"value": "Reported"
},
{
"lang": "en",
"time": "2023-07-20T00:00:00.000Z",
"value": "Release vote for unstable branch with fix"
},
{
"lang": "en",
"time": "2023-07-20T00:00:00.000Z",
"value": "Release vote for stable branch with fix"
},
{
"lang": "en",
"time": "2023-07-24T19:00:00.000Z",
"value": "unstable branch (2.21.18) released"
},
{
"lang": "en",
"time": "2023-07-24T21:00:00.000Z",
"value": "stable branch (2.20.11) released"
}
],
"title": "Apache Jackrabbit RMI access can lead to RCE",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-37895",
"datePublished": "2023-07-25T14:02:10.036Z",
"dateReserved": "2023-07-10T17:49:13.901Z",
"dateUpdated": "2025-02-13T17:01:36.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-6801 (GCVE-0-2016-6801)
Vulnerability from nvd – Published: 2016-09-21 14:00 – Updated: 2024-08-06 01:43
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.897Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160914 CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"name": "DSA-3679",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/JCR-4009"
},
{
"name": "92966",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92966"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-09-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-09-29T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20160914 CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"name": "DSA-3679",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/JCR-4009"
},
{
"name": "92966",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92966"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6801",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160914 CVE-2016-6801: CSRF in Jackrabbit-Webdav using empty content-type",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/09/14/6"
},
{
"name": "DSA-3679",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3679"
},
{
"name": "https://issues.apache.org/jira/browse/JCR-4009",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/JCR-4009"
},
{
"name": "92966",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92966"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6801",
"datePublished": "2016-09-21T14:00:00",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-08-06T01:43:37.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1833 (GCVE-0-2015-1833)
Vulnerability from nvd – Published: 2015-05-29 15:00 – Updated: 2024-08-06 04:54
VLAI?
Summary
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:54:16.299Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3298",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"name": "74761",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74761"
},
{
"name": "37110",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/37110/"
},
{
"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "DSA-3298",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"name": "74761",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74761"
},
{
"name": "37110",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/37110/"
},
{
"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1833",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3298",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3298"
},
{
"name": "74761",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74761"
},
{
"name": "37110",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/37110/"
},
{
"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"refsource": "MLIST",
"url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"
},
{
"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"
},
{
"name": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt",
"refsource": "CONFIRM",
"url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"
},
{
"name": "https://issues.apache.org/jira/browse/JCR-3883",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/JCR-3883"
},
{
"name": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-1833",
"datePublished": "2015-05-29T15:00:00",
"dateReserved": "2015-02-17T00:00:00",
"dateUpdated": "2024-08-06T04:54:16.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2009-0026 (GCVE-0-2009-0026)
Vulnerability from nvd – Published: 2009-01-21 20:00 – Updated: 2024-08-07 04:17
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:17:10.473Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "4942",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4942"
},
{
"name": "20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/500196/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt"
},
{
"name": "jackrabbit-search-swr-xss(48110)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48110"
},
{
"name": "33576",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/33576"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.apache.org/jira/browse/JCR-1925"
},
{
"name": "ADV-2009-0177",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2009/0177"
},
{
"name": "33360",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/33360"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2009-01-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the q parameter to (1) search.jsp or (2) swr.jsp."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-11T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "4942",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4942"
},
{
"name": "20090120 [ANNOUNCE] Apache Jackrabbit 1.5.2 released",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/500196/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.apache.org/dist/jackrabbit/RELEASE-NOTES-1.5.2.txt"
},
{
"name": "jackrabbit-search-swr-xss(48110)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/48110"
},
{
"name": "33576",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/33576"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.apache.org/jira/browse/JCR-1925"
},
{
"name": "ADV-2009-0177",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2009/0177"
},
{
"name": "33360",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/33360"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2009-0026",
"datePublished": "2009-01-21T20:00:00",
"dateReserved": "2008-12-15T00:00:00",
"dateUpdated": "2024-08-07T04:17:10.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}