Vulnerability Details : CVE-2015-1833
Public exploit exists!
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Vulnerability category: XML external entity (XXE) injectionInput validation
Products affected by CVE-2015-1833
- cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-1833
1.87%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-1833
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2015-1833
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1833
-
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)Vendor Advisory
-
http://www.debian.org/security/2015/dsa-3298
Debian -- Security Information -- DSA-3298-1 jackrabbit
-
http://www.securityfocus.com/archive/1/535582/100/0/threaded
SecurityFocus
-
https://www.exploit-db.com/exploits/37110/
Apache JackRabbit - WebDAV XML External EntityExploit
-
https://issues.apache.org/jira/browse/JCR-3883
[JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) - ASF JIRAVendor Advisory
-
http://www.securityfocus.com/bid/74761
Apache Jackrabbit CVE-2015-1833 XML External Entity Information Disclosure Vulnerability
-
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
Jackrabbit WebDAV XXE Injection ≈ Packet Storm
-
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
404 Not FoundVendor Advisory
Jump to