[ https://issues.apache.org/jira/browse/JCR-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Julian Reschke updated JCR-3883: -------------------------------- Summary: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) (was: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack) > Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) > ---------------------------------------------------------------------- > > Key: JCR-3883 > URL: https://issues.apache.org/jira/browse/JCR-3883 > Project: Jackrabbit Content Repository > Issue Type: Bug > Components: jackrabbit-webdav > Affects Versions: 2.0.5, 2.2.13, 2.4.5, 2.6.5, 2.8, 2.10 > Reporter: Marcel Reutegger > Assignee: Marcel Reutegger > Priority: Critical > Fix For: 2.10.1, 2.0.6, 2.2.14, 2.4.6, 2.6.6, 2.8.1 > > Attachments: CVE-2015-1833-jr-2.0.patch, CVE-2015-1833-jr-2.2.patch, > CVE-2015-1833.patch, CVE-2015-1833.txt > > > When processing a WebDAV request body containing XML, the XML parser can be > instructed to read content from network resources accessible to the host, > identified by URI schemes such as "http(s)" or "file". Depending on the > WebDAV request, this can not only be used to trigger internal network > requests, but might also be used to insert said content into the request, > potentially exposing it to the attacker and others (for instance, by inserting > said content in a WebDAV property value using a PROPPATCH request). See also > IETF RFC 4918, Section 20.6. > This issue was reported by Mikhail Egorov. > Users of the jackrabbit-webdav module are advised to immediately update the > module to 2.10.1 or disable WebDAV access to the repository. Users > on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should > apply the fix to the corresponding 2.x branch or disable WebDAV access until > official releases of those earlier versions are available. Patches for 2.x > branches are attached to this JIRA issue. -- This message was sent by Atlassian JIRA (v6.3.4#6332)