[
https://issues.apache.org/jira/browse/JCR-5165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Reschke updated JCR-5165:
--------------------------------
Description:
Published: 2025-07-14
Updated: 2025-07-14
Title: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
Description
Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in
Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load
privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8),
2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue.
Earlier versions (up to 2.20.16) are not supported anymore, thus users should
update to the respective supported version.
> XXE vulnerability in jackrabbit-spi-common
> ------------------------------------------
>
> Key: JCR-5165
> URL: https://issues.apache.org/jira/browse/JCR-5165
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core, jackrabbit-spi-commons
> Reporter: Julian Reschke
> Assignee: Julian Reschke
> Priority: Critical
> Fix For: 2.20.17, 2.24, 2.22.1, 2.23.2
>
>
> Published: 2025-07-14
> Updated: 2025-07-14
> Title: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
> Description
> Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in
> Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to
> load privileges. Users are recommended to upgrade to versions 2.20.17 (Java
> 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this
> issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users
> should update to the respective supported version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
