CVE-2015-1833: Input Validation
First published: Fri May 29 2015(Updated: )
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.jackrabbit:jackrabbit-core | =2.10.0 | 2.10.1 |
| maven/org.apache.jackrabbit:jackrabbit-core | =2.8.0 | 2.8.1 |
| maven/org.apache.jackrabbit:jackrabbit-core | >=2.6.0<=2.6.5 | 2.6.6 |
| maven/org.apache.jackrabbit:jackrabbit-core | >=2.4.0<=2.4.5 | 2.4.6 |
| maven/org.apache.jackrabbit:jackrabbit-core | >=2.2.0<=2.2.13 | 2.2.14 |
| maven/org.apache.jackrabbit:jackrabbit-core | <=2.0.5 | 2.0.6 |
| Apache Jackrabbit Oak | <=2.0.5 | |
| Apache Jackrabbit Oak | =2.2.0 | |
| Apache Jackrabbit Oak | =2.2.1 | |
| Apache Jackrabbit Oak | =2.2.2 | |
| Apache Jackrabbit Oak | =2.2.4 | |
| Apache Jackrabbit Oak | =2.2.5 | |
| Apache Jackrabbit Oak | =2.2.7 | |
| Apache Jackrabbit Oak | =2.2.8 | |
| Apache Jackrabbit Oak | =2.2.9 | |
| Apache Jackrabbit Oak | =2.2.10 | |
| Apache Jackrabbit Oak | =2.2.11 | |
| Apache Jackrabbit Oak | =2.2.12 | |
| Apache Jackrabbit Oak | =2.2.13 | |
| Apache Jackrabbit Oak | =2.4.0 | |
| Apache Jackrabbit Oak | =2.4.1 | |
| Apache Jackrabbit Oak | =2.4.2 | |
| Apache Jackrabbit Oak | =2.4.3 | |
| Apache Jackrabbit Oak | =2.4.4 | |
| Apache Jackrabbit Oak | =2.4.5 | |
| Apache Jackrabbit Oak | =2.6.0 | |
| Apache Jackrabbit Oak | =2.6.1 | |
| Apache Jackrabbit Oak | =2.6.2 | |
| Apache Jackrabbit Oak | =2.6.3 | |
| Apache Jackrabbit Oak | =2.6.4 | |
| Apache Jackrabbit Oak | =2.6.5 | |
| Apache Jackrabbit Oak | =2.8.0 | |
| Apache Jackrabbit Oak | =2.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- http://www.debian.org/security/2015/dsa-3298
- http://www.securityfocus.com/archive/1/535582/100/0/threaded
- http://www.securityfocus.com/bid/74761
- https://issues.apache.org/jira/browse/JCR-3883
- https://www.exploit-db.com/exploits/37110/
- https://nvd.nist.gov/vuln/detail/CVE-2015-1833
- https://github.com/apache/jackrabbit/commit/17e9f68f5a3f05ded20569777a7b07422680612d
- https://github.com/apache/jackrabbit/commit/26e601934d0f439f0a61d62265f52936d79df40d
- https://github.com/apache/jackrabbit/commit/3903739363b79deb7579802fbc27b9b7448218b2
- https://github.com/apache/jackrabbit/commit/6191b366c607e65325a0116097aca8a359b36486
- https://github.com/apache/jackrabbit/commit/89c5c4ed6ab250ad609829517f167d2dbe0abdd0
- https://github.com/apache/jackrabbit/commit/b7fa1ae39641936872617ff95363353b0345b777
- https://github.com/apache/jackrabbit/commit/ddf9a3cd408397d0805917299c4114b09449373d
- https://www.exploit-db.com/exploits/37110
- https://github.com/advisories/GHSA-9284-j4c9-779q (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-1833?
CVE-2015-1833 is classified as a critical vulnerability due to its potential to allow remote attackers to read arbitrary files.
How do I fix CVE-2015-1833?
To fix CVE-2015-1833, upgrade to Apache Jackrabbit version 2.10.1 or later.
Which versions of Apache Jackrabbit are affected by CVE-2015-1833?
CVE-2015-1833 affects Apache Jackrabbit versions before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1.
What type of attack can be executed using CVE-2015-1833?
Using CVE-2015-1833, attackers can exploit XML external entity (XXE) vulnerabilities to read files and send requests to intranet servers.
Who is impacted by CVE-2015-1833?
Organizations using vulnerable versions of Apache Jackrabbit are exposed to potential data breaches and unauthorized access.
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9284-j4c9-779q
- alias/CVE-2015-1833
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/softwarecombine
- agent/description
- agent/event
- agent/author
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- vendor/apache
- canonical/apache jackrabbit oak
- version/apache jackrabbit oak/2.0.5
- version/apache jackrabbit oak/2.2.0
- version/apache jackrabbit oak/2.2.1
- version/apache jackrabbit oak/2.2.2
- version/apache jackrabbit oak/2.2.4
- version/apache jackrabbit oak/2.2.5
- version/apache jackrabbit oak/2.2.7
- version/apache jackrabbit oak/2.2.8
- version/apache jackrabbit oak/2.2.9
- version/apache jackrabbit oak/2.2.10
- version/apache jackrabbit oak/2.2.11
- version/apache jackrabbit oak/2.2.12
- version/apache jackrabbit oak/2.2.13
- version/apache jackrabbit oak/2.4.0
- version/apache jackrabbit oak/2.4.1
- version/apache jackrabbit oak/2.4.2
- version/apache jackrabbit oak/2.4.3
- version/apache jackrabbit oak/2.4.4
- version/apache jackrabbit oak/2.4.5
- version/apache jackrabbit oak/2.6.0
- version/apache jackrabbit oak/2.6.1
- version/apache jackrabbit oak/2.6.2
- version/apache jackrabbit oak/2.6.3
- version/apache jackrabbit oak/2.6.4
- version/apache jackrabbit oak/2.6.5
- version/apache jackrabbit oak/2.8.0
- version/apache jackrabbit oak/2.10.0