Detections
Analytics

Debian DSA-3298-1 : jackrabbit - security update

medium Nessus Plugin ID 84474

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a XXE/XEE attack. When processing a WebDAV request body containing XML, the XML parser could be instructed to read content from network resources accessible to the host, identified by URI schemes such as'http(s)' or 'file'. Depending on the WebDAV request, this could not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others.

Solution

Upgrade the jackrabbit packages.

For the oldstable distribution (wheezy), this problem has been fixed in version 2.3.6-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in version 2.3.6-1+deb8u1.

See Also

https://packages.debian.org/source/wheezy/jackrabbit

https://packages.debian.org/source/jessie/jackrabbit

https://www.debian.org/security/2015/dsa-3298

Plugin Details

Severity: Medium

ID: 84474

File Name: debian_DSA-3298.nasl

Version: 2.8

Type: local

Agent: unix

Published: 7/1/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:jackrabbit, cpe:/o:debian:debian_linux:8.0, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/1/2015

Reference Information

CVE: CVE-2015-1833

BID: 74761

DSA: 3298