Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2023-37895

Опубликовано: 25 июл. 2023
Источник: nvd
CVSS3: 9.8
EPSS Низкий

Описание

Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI.

Users are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.

In general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.

How to check whether RMI support is enabledRMI support can be o

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*
Версия от 1.0.0 (включая) до 2.20.11 (исключая)
cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*
Версия от 2.21.0 (включая) до 2.21.18 (исключая)

EPSS

Процентиль: 92%
0.08774
Низкий

9.8 Critical

CVSS3

Дефекты

CWE-502

Связанные уязвимости

ubuntu логотип

CVE-2023-37895

CVSS3: 9.8
ubuntu
больше 2 лет назад

Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI. Users are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore. In general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases. How to check whether RMI support is enabledRMI support can be o...

debian логотип

CVE-2023-37895

CVSS3: 9.8
debian
больше 2 лет назад

Java object deserialization issue in Jackrabbit webapp/standalone on a ...

github логотип

GHSA-q8cm-3v62-jj79

CVSS3: 9.8
github
больше 2 лет назад

Remote code execution in Apache Jackrabbit

fstec логотип

BDU:2023-06209

CVSS3: 9.8
fstec
больше 2 лет назад

Уязвимость компонента commons-beanutils хранилища содержимого с открытым исходным кодом для платформы Java Apache Jackrabbit, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 92%
0.08774
Низкий

9.8 Critical

CVSS3

Дефекты

CWE-502