[
https://issues.apache.org/jira/browse/JCR-5165?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konrad Windszus updated JCR-5165:
---------------------------------
Summary: XXE vulnerability in jackrabbit-spi-commons (was: XXE
vulnerability in jackrabbit-spi-common)
> XXE vulnerability in jackrabbit-spi-commons
> -------------------------------------------
>
> Key: JCR-5165
> URL: https://issues.apache.org/jira/browse/JCR-5165
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core, jackrabbit-spi-commons
> Reporter: Julian Reschke
> Assignee: Julian Reschke
> Priority: Critical
> Fix For: 2.20.17, 2.24, 2.22.1, 2.23.2
>
>
> Published: 2025-07-14
> Updated: 2025-07-14
> Title: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
> Description
> Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in
> Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to
> load privileges. Users are recommended to upgrade to versions 2.20.17 (Java
> 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this
> issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users
> should update to the respective supported version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
