[jira] [Commented] (JCR-3883) Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)

Julian Reschke (Jira) Wed, 03 May 2023 02:11:07 -0700


    [ 
https://issues.apache.org/jira/browse/JCR-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718854#comment-17718854
 ]


Julian Reschke commented on JCR-3883:
-------------------------------------

trunk: (2.10.1) [r1680757|http://svn.apache.org/r1680757]
2.20: (2.10.1) [r1680757|http://svn.apache.org/r1680757]
2.16: (2.10.1) [r1680757|http://svn.apache.org/r1680757]

...in retired branches:
2.18: (2.10.1) [r1680757|http://svn.apache.org/r1680757]
2.14: (2.10.1) [r1680757|http://svn.apache.org/r1680757]
2.12: (2.10.1) [r1680757|http://svn.apache.org/r1680757]
2.10: (2.10.1) [r1680757|http://svn.apache.org/r1680757]
2.8: (2.8.2) [r1680785|http://svn.apache.org/r1680785]
2.6: (2.6.6) [r1680794|http://svn.apache.org/r1680794]
2.4: (2.4.6) [r1680798|http://svn.apache.org/r1680798]
2.2: [r1680800|http://svn.apache.org/r1680800]
2.0: [r1680837|http://svn.apache.org/r1680837] 
[r1680822|http://svn.apache.org/r1680822]


> Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)
> ----------------------------------------------------------------------
>
>                 Key: JCR-3883
>                 URL: https://issues.apache.org/jira/browse/JCR-3883
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-webdav
>    Affects Versions: 2.0.5, 2.2.13, 2.4.5, 2.6.5, 2.8, 2.10
>            Reporter: Marcel Reutegger
>            Assignee: Marcel Reutegger
>            Priority: Critical
>             Fix For: 0.9, 2.10.1, 2.4.6, 2.6.6, 2.8.1
>
>         Attachments: CVE-2015-1833-jr-2.0.patch, CVE-2015-1833-jr-2.2.patch, 
> CVE-2015-1833.patch, CVE-2015-1833.txt
>
>
> When processing a WebDAV request body containing XML, the XML parser can be 
> instructed to read content from network resources accessible to the host, 
> identified by URI schemes such as "http(s)" or  "file". Depending on the 
> WebDAV request, this can not only be used to trigger internal network 
> requests, but might also be used to insert said content into the request, 
> potentially exposing it to the attacker and others (for instance, by inserting
> said content in a WebDAV property value using a PROPPATCH request). See also
> IETF RFC 4918, Section 20.6.
> This issue was reported by Mikhail Egorov.
> Users of the jackrabbit-webdav module are advised to immediately update the
> module to 2.10.1 or disable WebDAV access to the repository. Users
> on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
> apply the fix to the corresponding 2.x branch or disable WebDAV access until
> official releases of those earlier versions are available. Patches for 2.x
> branches are attached to this JIRA issue.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (JCR-3883) Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)

Reply via email to