CVE-2015-1833

medium

Description

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

References

https://issues.apache.org/jira/browse/JCR-3883

http://www.securityfocus.com/bid/74761

http://www.securityfocus.com/archive/1/535582/100/0/threaded

http://www.debian.org/security/2015/dsa-3298

http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt

http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html

http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E

Details

Source: Mitre, NVD

Published: 2015-05-29

Updated: 2018-10-09

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity: Medium