Описание
Improper Input Validation in Apache Jackrabbit
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-1833
- https://github.com/apache/jackrabbit/commit/17e9f68f5a3f05ded20569777a7b07422680612d
- https://github.com/apache/jackrabbit/commit/26e601934d0f439f0a61d62265f52936d79df40d
- https://github.com/apache/jackrabbit/commit/3903739363b79deb7579802fbc27b9b7448218b2
- https://github.com/apache/jackrabbit/commit/6191b366c607e65325a0116097aca8a359b36486
- https://github.com/apache/jackrabbit/commit/89c5c4ed6ab250ad609829517f167d2dbe0abdd0
- https://github.com/apache/jackrabbit/commit/b7fa1ae39641936872617ff95363353b0345b777
- https://github.com/apache/jackrabbit/commit/ddf9a3cd408397d0805917299c4114b09449373d
- https://issues.apache.org/jira/browse/JCR-3883
- https://www.exploit-db.com/exploits/37110
- http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- http://www.debian.org/security/2015/dsa-3298
Пакеты
org.apache.jackrabbit:jackrabbit-core
<= 2.0.5
2.0.6
org.apache.jackrabbit:jackrabbit-core
>= 2.2.0, <= 2.2.13
2.2.14
org.apache.jackrabbit:jackrabbit-core
>= 2.4.0, <= 2.4.5
2.4.6
org.apache.jackrabbit:jackrabbit-core
>= 2.6.0, <= 2.6.5
2.6.6
org.apache.jackrabbit:jackrabbit-core
= 2.8.0
2.8.1
org.apache.jackrabbit:jackrabbit-core
= 2.10.0
2.10.1
Связанные уязвимости
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2. ...