CVE-2015-1833
published 2015-05-29CVE-2015-1833: XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and…
PriorityP262medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
51.49%
98.8th percentile
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | jackrabbit | <= 2.0.5 | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
| apache | jackrabbit | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XXE exploitation attempts targeting WebDAV endpoints by monitoring PROPPATCH and PROPFIND HTTP requests containing XML with DOCTYPE/ENTITY declarations referencing external URIs (file://, http://, https://). ↗
- →Alert on outbound FTP connections from the WebDAV server process to attacker-controlled hosts, particularly FTP banner '220 xxe-ftp-server', which is the OOB exfiltration channel used by the exploit. ↗
- →Monitor HTTP requests to WebDAV endpoints with Content-Type: application/xml and HTTP verbs PROPPATCH or PROPFIND for embedded external entity references. ↗
- →Detect file:// URI scheme usage within XML bodies of WebDAV requests, especially references to /proc/self/cwd, which the exploit uses to enumerate the server's working directory. ↗
- →Flag WebDAV requests where the XML body contains URI schemes such as 'http(s)' or 'file' that could trigger internal network requests or file disclosure via XXE. ↗
- ·The exploit supports three techniques (inb1, inb2, oob) with different requirements: inb1 does not require attacker visibility but has content limitations; inb2 requires valid credentials and attacker-visible IP; oob works with anonymous credentials but is less stable. ↗
- ·The vulnerability affects not only Apache Jackrabbit directly but also software incorporating its WebDAV plugin, including Apache Sling and Adobe AEM. ↗
- ·The OOB technique uses an FTP server on the attacker side (default port 9999) and an HTTP server (default port 9998) to receive exfiltrated data; detection must account for both channels. ↗
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper Input Validation in Apache Jackrabbit
ghsa·2022-05-14
CVE-2015-1833 [MEDIUM] CWE-20 Improper Input Validation in Apache Jackrabbit
Improper Input Validation in Apache Jackrabbit
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
OSV
Improper Input Validation in Apache Jackrabbit
osv·2022-05-14
CVE-2015-1833 [MEDIUM] Improper Input Validation in Apache Jackrabbit
Improper Input Validation in Apache Jackrabbit
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
OSV
CVE-2015-1833: XML external entity (XXE) vulnerability in Apache Jackrabbit before 2
osv·2015-05-29·CVSS 6.4
CVE-2015-1833 [MEDIUM] CVE-2015-1833: XML external entity (XXE) vulnerability in Apache Jackrabbit before 2
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Red Hat
jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
vendor_redhat·2015-05-21·CVSS 6.4
CVE-2015-1833 [MEDIUM] jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Package: jackrabbit-webdav (Red Hat JBoss Fuse Service Works 6) - Not affected
Package: jenkins (Red Hat OpenShift Enterprise 2) - Not affected
Package: openshift-origin-cartridge-fuse (Red Hat OpenShift Enterprise 2) - Not affected
Debian
CVE-2015-1833: jackrabbit - XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x...
vendor_debian·2015·CVSS 6.4
CVE-2015-1833 [MEDIUM] CVE-2015-1833: jackrabbit - XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x...
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Scope: local
bookworm: resolved (fixed in 2.10.1-1)
bullseye: resolved (fixed in 2.10.1-1)
forky: resolved (fixed in 2.10.1-1)
sid: resolved (fixed in 2.10.1-1)
trixie: resolved (fixed in 2.10.1-1)
No detection rules found.
Bugzilla
CVE-2015-1833 jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack [fedora-all]
bugzilla·2015-05-21·CVSS 6.4
CVE-2015-1833 [MEDIUM] CVE-2015-1833 jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack [fedora-all]
CVE-2015-1833 jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
Bugzilla
CVE-2015-1833 jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
bugzilla·2015-05-21·CVSS 6.4
CVE-2015-1833 [MEDIUM] CVE-2015-1833 jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
CVE-2015-1833 jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
Version 2.10.1 of Apache Jackrabbit fixes XXE/XEE issue in the jackrabbit-webdav module.
Part of original advisory:
"""
When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.
"""
Original report: http://seclists.org/bugtr
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3Ehttp://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.htmlhttp://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txthttp://www.debian.org/security/2015/dsa-3298http://www.securityfocus.com/archive/1/535582/100/0/threadedhttp://www.securityfocus.com/bid/74761https://issues.apache.org/jira/browse/JCR-3883https://www.exploit-db.com/exploits/37110/http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3Ehttp://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.htmlhttp://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txthttp://www.debian.org/security/2015/dsa-3298http://www.securityfocus.com/archive/1/535582/100/0/threadedhttp://www.securityfocus.com/bid/74761https://issues.apache.org/jira/browse/JCR-3883https://www.exploit-db.com/exploits/37110/
2015-05-29
Published