[
https://issues.apache.org/jira/browse/JCR-5165?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18024283#comment-18024283
]
Julian Reschke commented on JCR-5165:
-------------------------------------
trunk: (2.23.2-beta)
[8ea234923|https://github.com/apache/jackrabbit/commit/8ea2349234b181bf790cad58bfd91fd2763e64a9]
2.22: (2.22.1)
[410d70859|https://github.com/apache/jackrabbit/commit/410d708595750528095db1a2accc95356ddf7311]
2.20: (2.20.17)
[1d6cb3d0f|https://github.com/apache/jackrabbit/commit/1d6cb3d0fcc8d51980b90ddcf94122d3e4add83e]
> XXE vulnerability in jackrabbit-spi-commons
> -------------------------------------------
>
> Key: JCR-5165
> URL: https://issues.apache.org/jira/browse/JCR-5165
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-core, jackrabbit-spi-commons
> Reporter: Julian Reschke
> Assignee: Julian Reschke
> Priority: Critical
> Fix For: 2.20.17, 2.24, 2.22.1, 2.23.2
>
>
> Published: 2025-07-14
> Updated: 2025-07-14
> Title: Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons
> Description
> Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in
> Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to
> load privileges. Users are recommended to upgrade to versions 2.20.17 (Java
> 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this
> issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users
> should update to the respective supported version.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
