CVE-2015-1833
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
7.4
Description
Improper Input Validation in Apache Jackrabbit
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apache JackRabbit - WebDAV XML External Entity
Source code queued for fetch โ refresh in a moment.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.10.1-1 |
| debian | bullseye | fixed | 2.10.1-1 |
| debian | forky | fixed | 2.10.1-1 |
| debian | sid | fixed | 2.10.1-1 |
| debian | trixie | fixed | 2.10.1-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.jackrabbit:jackrabbit-core | <2.0.6 | 2.0.6 |
| Maven | org.apache.jackrabbit:jackrabbit-core | >=2.2.0,<2.2.14 | 2.2.14 |
| Maven | org.apache.jackrabbit:jackrabbit-core | >=2.4.0,<2.4.6 | 2.4.6 |
| Maven | org.apache.jackrabbit:jackrabbit-core | >=2.6.0,<2.6.6 | 2.6.6 |
| Maven | org.apache.jackrabbit:jackrabbit-core | >=2.8.0,<2.8.1 | 2.8.1 |
| Maven | org.apache.jackrabbit:jackrabbit-core | >=2.10.0,<2.10.1 | 2.10.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | jackrabbit | {"endIncluding":"2.0.5"} | |
| apache | jackrabbit | 2.2.0 | |
| apache | jackrabbit | 2.2.1 | |
| apache | jackrabbit | 2.2.2 | |
| apache | jackrabbit | 2.2.4 | |
| apache | jackrabbit | 2.2.5 | |
| apache | jackrabbit | 2.2.7 | |
| apache | jackrabbit | 2.2.8 | |
| apache | jackrabbit | 2.2.9 | |
| apache | jackrabbit | 2.2.10 | |
| apache | jackrabbit | 2.2.11 | |
| apache | jackrabbit | 2.2.12 | |
| apache | jackrabbit | 2.2.13 | |
| apache | jackrabbit | 2.4.0 | |
| apache | jackrabbit | 2.4.1 | |
| apache | jackrabbit | 2.4.2 | |
| apache | jackrabbit | 2.4.3 | |
| apache | jackrabbit | 2.4.4 | |
| apache | jackrabbit | 2.4.5 | |
| apache | jackrabbit | 2.6.0 | |
| apache | jackrabbit | 2.6.1 | |
| apache | jackrabbit | 2.6.2 | |
| apache | jackrabbit | 2.6.3 | |
| apache | jackrabbit | 2.6.4 | |
| apache | jackrabbit | 2.6.5 | |
| apache | jackrabbit | 2.8.0 | |
| apache | jackrabbit | 2.10.0 | |
References
- http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- http://www.debian.org/security/2015/dsa-3298
- http://www.securityfocus.com/archive/1/535582/100/0/threaded
- http://www.securityfocus.com/bid/74761
- https://issues.apache.org/jira/browse/JCR-3883
- https://www.exploit-db.com/exploits/37110/
- https://nvd.nist.gov/vuln/detail/CVE-2015-1833
- https://github.com/apache/jackrabbit/commit/17e9f68f5a3f05ded20569777a7b07422680612d
- https://github.com/apache/jackrabbit/commit/26e601934d0f439f0a61d62265f52936d79df40d
- https://github.com/apache/jackrabbit/commit/3903739363b79deb7579802fbc27b9b7448218b2
- https://github.com/apache/jackrabbit/commit/6191b366c607e65325a0116097aca8a359b36486
- https://github.com/apache/jackrabbit/commit/89c5c4ed6ab250ad609829517f167d2dbe0abdd0
- https://github.com/apache/jackrabbit/commit/b7fa1ae39641936872617ff95363353b0345b777
- https://github.com/apache/jackrabbit/commit/ddf9a3cd408397d0805917299c4114b09449373d
- https://github.com/apache/jackrabbit
- https://www.exploit-db.com/exploits/37110
- https://security-tracker.debian.org/tracker/CVE-2015-1833
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.