CVE-2015-1833 - Vulnerability Details

Vendors	Products
Apache	Jackrabbit

Link	Providers
http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
http://www.debian.org/security/2015/dsa-3298
http://www.securityfocus.com/archive/1/535582/100/0/threaded
http://www.securityfocus.com/bid/74761
https://issues.apache.org/jira/browse/JCR-3883
https://nvd.nist.gov/vuln/detail/CVE-2015-1833
https://www.cve.org/CVERecord?id=CVE-2015-1833
https://www.exploit-db.com/exploits/37110/

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-05-21T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-3298", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3298"}, {"name": "74761", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74761"}, {"name": "37110", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/37110/"}, {"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-1833", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3298", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3298"}, {"name": "74761", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74761"}, {"name": "37110", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/37110/"}, {"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"name": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt", "refsource": "CONFIRM", "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"name": "https://issues.apache.org/jira/browse/JCR-3883", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"name": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:54:16.299Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3298", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3298"}, {"name": "74761", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74761"}, {"name": "37110", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/37110/"}, {"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-1833", "datePublished": "2015-05-29T15:00:00", "dateReserved": "2015-02-17T00:00:00", "dateUpdated": "2024-08-06T04:54:16.299Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : n/a (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : n/a (string)

}

]

}

]

datePublic : 2015-05-21T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : n/a (string)

lang : en (string)

type : text (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2018-10-09T18:57:01 (string)

orgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

shortName : redhat (string)

}

references : [ »

0 : { »

name : DSA-3298 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_DEBIAN (string)

]

url : http://www.debian.org/security/2015/dsa-3298 (string)

}

1 : { »

name : 74761 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

]

url : http://www.securityfocus.com/bid/74761 (string)

}

2 : { »

name : 37110 (string)

tags : [ »

0 : exploit (string)

1 : x_refsource_EXPLOIT-DB (string)

]

url : https://www.exploit-db.com/exploits/37110/ (string)

}

3 : { »

name : [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability) (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

]

url : http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E (string)

}

4 : { »

name : 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability) (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_BUGTRAQ (string)

]

url : http://www.securityfocus.com/archive/1/535582/100/0/threaded (string)

}

5 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt (string)

}

6 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://issues.apache.org/jira/browse/JCR-3883 (string)

}

7 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : secalert@redhat.com (string)

ID : CVE-2015-1833 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : n/a (string)

version : { »

version_data : [ »

0 : { »

version_value : n/a (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : n/a (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : DSA-3298 (string)

refsource : DEBIAN (string)

url : http://www.debian.org/security/2015/dsa-3298 (string)

}

1 : { »

name : 74761 (string)

refsource : BID (string)

url : http://www.securityfocus.com/bid/74761 (string)

}

2 : { »

name : 37110 (string)

refsource : EXPLOIT-DB (string)

url : https://www.exploit-db.com/exploits/37110/ (string)

}

3 : { »

name : [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability) (string)

refsource : MLIST (string)

url : http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E (string)

}

4 : { »

name : 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability) (string)

refsource : BUGTRAQ (string)

url : http://www.securityfocus.com/archive/1/535582/100/0/threaded (string)

}

5 : { »

name : http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt (string)

refsource : CONFIRM (string)

url : http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt (string)

}

6 : { »

name : https://issues.apache.org/jira/browse/JCR-3883 (string)

refsource : CONFIRM (string)

url : https://issues.apache.org/jira/browse/JCR-3883 (string)

}

7 : { »

name : http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html (string)

refsource : MISC (string)

url : http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-06T04:54:16.299Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

name : DSA-3298 (string)

tags : [ »

0 : vendor-advisory (string)

1 : x_refsource_DEBIAN (string)

2 : x_transferred (string)

]

url : http://www.debian.org/security/2015/dsa-3298 (string)

}

1 : { »

name : 74761 (string)

tags : [ »

0 : vdb-entry (string)

1 : x_refsource_BID (string)

2 : x_transferred (string)

]

url : http://www.securityfocus.com/bid/74761 (string)

}

2 : { »

name : 37110 (string)

tags : [ »

0 : exploit (string)

1 : x_refsource_EXPLOIT-DB (string)

2 : x_transferred (string)

]

url : https://www.exploit-db.com/exploits/37110/ (string)

}

3 : { »

name : [jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability) (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_MLIST (string)

2 : x_transferred (string)

]

url : http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E (string)

}

4 : { »

name : 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability) (string)

tags : [ »

0 : mailing-list (string)

1 : x_refsource_BUGTRAQ (string)

2 : x_transferred (string)

]

url : http://www.securityfocus.com/archive/1/535582/100/0/threaded (string)

}

5 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt (string)

}

6 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://issues.apache.org/jira/browse/JCR-3883 (string)

}

7 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 53f830b8-0a3f-465b-8143-3b8a9948e749 (string)

assignerShortName : redhat (string)

cveId : CVE-2015-1833 (string)

datePublished : 2015-05-29T15:00:00 (string)

dateReserved : 2015-02-17T00:00:00 (string)

dateUpdated : 2024-08-06T04:54:16.299Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCA488EB-6AEF-4C3B-B9EC-0269E4C16B8F", "versionEndIncluding": "2.0.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE38C192-C0E9-4F30-A4F2-9D4645F76502", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "82E60C57-AC1E-41DC-9B19-7AC1166DC8DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "AECF5291-3FDC-431D-9315-F594AD312B9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "DD5A9474-5FBC-43CF-824A-F5854FC765BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "34E6CC63-EA31-4E7E-ABA8-7EB135C95EBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "F7CB306C-90E2-479A-88F4-8A7BE952FC86", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "428DB1B1-8640-4A3D-8582-940B91B75B4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "1A7E3CB1-A333-43F8-B5F8-B39844D0FD3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "BFAFC7B2-8421-4E21-9EC1-11FF17456C5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "1B7161CD-E03A-4A2C-9048-3765D82DF35E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:*", "matchCriteriaId": "5695D7A0-35D6-4780-8D07-67FD6270057F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:*", "matchCriteriaId": "AAC1D0EF-7B96-4DB3-9925-0F872AF092EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "765A2672-88CB-40B6-811A-9F4FB503B9A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "AA4CC344-B6B9-48A9-8464-73486964F484", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "E361D843-4697-4478-BE2B-4C4E07DC420D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "16B89FBF-D0D6-4126-9DBB-80E8DFE630EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "B190B1F0-4EAD-48EE-A894-B776537A2ECA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "93B767E2-4E1E-4AF6-BF65-C07769DE88C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "C1C9DD4F-690E-4627-8C20-4931E5039D95", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "ACED7AF6-383C-4038-9823-BD5F2F054011", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "A7CFAABB-1E6D-40A4-AE3E-A36A8627CE7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "F83F02AC-0A32-4949-9EF8-2D3BC3272B08", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "21C97A68-5B82-4830-80A9-33052E73A9A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "D11B4EE2-94EB-4CF3-9E4C-5F0BF86080E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "FDD80948-AE24-4CA7-97C0-8017E5504A70", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "09FE0F9B-6342-4C92-9EC5-561AAAC2034A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en Apache Jackrabbit anterior a 2.0.6, 2.2.x anterior a 2.2.14, 2.4.x anterior a 2.4.6, 2.6.x anterior a 2.6.6, 2.8.x anterior a 2.8.1, y 2.10.x anterior a 2.10.1 permite a atacantes remotos leer ficheros arbitrarios y enviar solicitudes a servicios de intranet a trav\u00e9s de una solicitud WebDAV manipulada."}], "id": "CVE-2015-1833", "lastModified": "2024-11-21T02:26:14.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-05-29T15:59:13.063", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"source": "secalert@redhat.com", "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2015/dsa-3298"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/74761"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"source": "secalert@redhat.com", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/37110/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3298"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/74761"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/37110/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:* (string)

matchCriteriaId : BCA488EB-6AEF-4C3B-B9EC-0269E4C16B8F (string)

versionEndIncluding : 2.0.5 (string)

vulnerable : true (boolean)

}

1 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:* (string)

matchCriteriaId : EE38C192-C0E9-4F30-A4F2-9D4645F76502 (string)

vulnerable : true (boolean)

}

2 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:* (string)

matchCriteriaId : 82E60C57-AC1E-41DC-9B19-7AC1166DC8DB (string)

vulnerable : true (boolean)

}

3 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:* (string)

matchCriteriaId : AECF5291-3FDC-431D-9315-F594AD312B9C (string)

vulnerable : true (boolean)

}

4 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:* (string)

matchCriteriaId : DD5A9474-5FBC-43CF-824A-F5854FC765BD (string)

vulnerable : true (boolean)

}

5 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 34E6CC63-EA31-4E7E-ABA8-7EB135C95EBD (string)

vulnerable : true (boolean)

}

6 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:* (string)

matchCriteriaId : F7CB306C-90E2-479A-88F4-8A7BE952FC86 (string)

vulnerable : true (boolean)

}

7 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:* (string)

matchCriteriaId : 428DB1B1-8640-4A3D-8582-940B91B75B4D (string)

vulnerable : true (boolean)

}

8 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:* (string)

matchCriteriaId : 1A7E3CB1-A333-43F8-B5F8-B39844D0FD3E (string)

vulnerable : true (boolean)

}

9 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:* (string)

matchCriteriaId : BFAFC7B2-8421-4E21-9EC1-11FF17456C5B (string)

vulnerable : true (boolean)

}

10 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:* (string)

matchCriteriaId : 1B7161CD-E03A-4A2C-9048-3765D82DF35E (string)

vulnerable : true (boolean)

}

11 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:* (string)

matchCriteriaId : 5695D7A0-35D6-4780-8D07-67FD6270057F (string)

vulnerable : true (boolean)

}

12 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:* (string)

matchCriteriaId : AAC1D0EF-7B96-4DB3-9925-0F872AF092EA (string)

vulnerable : true (boolean)

}

13 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 765A2672-88CB-40B6-811A-9F4FB503B9A5 (string)

vulnerable : true (boolean)

}

14 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:* (string)

matchCriteriaId : AA4CC344-B6B9-48A9-8464-73486964F484 (string)

vulnerable : true (boolean)

}

15 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:* (string)

matchCriteriaId : E361D843-4697-4478-BE2B-4C4E07DC420D (string)

vulnerable : true (boolean)

}

16 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:* (string)

matchCriteriaId : 16B89FBF-D0D6-4126-9DBB-80E8DFE630EA (string)

vulnerable : true (boolean)

}

17 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:* (string)

matchCriteriaId : B190B1F0-4EAD-48EE-A894-B776537A2ECA (string)

vulnerable : true (boolean)

}

18 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:* (string)

matchCriteriaId : 93B767E2-4E1E-4AF6-BF65-C07769DE88C6 (string)

vulnerable : true (boolean)

}

19 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:* (string)

matchCriteriaId : C1C9DD4F-690E-4627-8C20-4931E5039D95 (string)

vulnerable : true (boolean)

}

20 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:* (string)

matchCriteriaId : ACED7AF6-383C-4038-9823-BD5F2F054011 (string)

vulnerable : true (boolean)

}

21 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:* (string)

matchCriteriaId : A7CFAABB-1E6D-40A4-AE3E-A36A8627CE7A (string)

vulnerable : true (boolean)

}

22 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:* (string)

matchCriteriaId : F83F02AC-0A32-4949-9EF8-2D3BC3272B08 (string)

vulnerable : true (boolean)

}

23 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:* (string)

matchCriteriaId : 21C97A68-5B82-4830-80A9-33052E73A9A6 (string)

vulnerable : true (boolean)

}

24 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:* (string)

matchCriteriaId : D11B4EE2-94EB-4CF3-9E4C-5F0BF86080E4 (string)

vulnerable : true (boolean)

}

25 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:* (string)

matchCriteriaId : FDD80948-AE24-4CA7-97C0-8017E5504A70 (string)

vulnerable : true (boolean)

}

26 : { »

criteria : cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:* (string)

matchCriteriaId : 09FE0F9B-6342-4C92-9EC5-561AAAC2034A (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request. (string)

}

1 : { »

lang : es (string)

value : Vulnerabilidad de entidad externa XML (XXE) en Apache Jackrabbit anterior a 2.0.6, 2.2.x anterior a 2.2.14, 2.4.x anterior a 2.4.6, 2.6.x anterior a 2.6.6, 2.8.x anterior a 2.8.1, y 2.10.x anterior a 2.10.1 permite a atacantes remotos leer ficheros arbitrarios y enviar solicitudes a servicios de intranet a través de una solicitud WebDAV manipulada. (string)

}

]

id : CVE-2015-1833 (string)

lastModified : 2024-11-21T02:26:14.207 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : NONE (string)

baseScore : 6.4 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:L/Au:N/C:P/I:P/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 10 (number)

impactScore : 4.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

}

published : 2015-05-29T15:59:13.063 (string)

references : [ »

0 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E (string)

}

1 : { »

source : secalert@redhat.com (string)

url : http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html (string)

}

2 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt (string)

}

3 : { »

source : secalert@redhat.com (string)

url : http://www.debian.org/security/2015/dsa-3298 (string)

}

4 : { »

source : secalert@redhat.com (string)

url : http://www.securityfocus.com/archive/1/535582/100/0/threaded (string)

}

5 : { »

source : secalert@redhat.com (string)

url : http://www.securityfocus.com/bid/74761 (string)

}

6 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://issues.apache.org/jira/browse/JCR-3883 (string)

}

7 : { »

source : secalert@redhat.com (string)

tags : [ »

0 : Exploit (string)

]

url : https://www.exploit-db.com/exploits/37110/ (string)

}

8 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html (string)

}

10 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt (string)

}

11 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.debian.org/security/2015/dsa-3298 (string)

}

12 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.securityfocus.com/archive/1/535582/100/0/threaded (string)

}

13 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

url : http://www.securityfocus.com/bid/74761 (string)

}

14 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Vendor Advisory (string)

]

url : https://issues.apache.org/jira/browse/JCR-3883 (string)

}

15 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

]

url : https://www.exploit-db.com/exploits/37110/ (string)

}

]

sourceIdentifier : secalert@redhat.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-20 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Show plain JSON

{"bugzilla": {"description": "jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack", "id": "1223883", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1223883"}, "csaw": false, "cvss": {"cvss_base_score": "6.4", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "draft"}, "details": ["XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."], "name": "CVE-2015-1833", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "jackrabbit-webdav", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "openshift-origin-cartridge-fuse", "product_name": "Red Hat OpenShift Enterprise 2"}], "public_date": "2015-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-1833\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-1833"], "threat_severity": "Moderate"}

{

bugzilla : { »

description : jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (string)

id : 1223883 (string)

url : https://bugzilla.redhat.com/show_bug.cgi?id=1223883 (string)

}

csaw : false (boolean)

cvss : { »

cvss_base_score : 6.4 (string)

cvss_scoring_vector : AV:N/AC:L/Au:N/C:P/I:N/A:P (string)

status : draft (string)

}

details : [ »

0 : XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request. (string)

]

name : CVE-2015-1833 (string)

package_state : [ »

0 : { »

cpe : cpe:/a:redhat:jboss_fuse_service_works:6 (string)

fix_state : Not affected (string)

package_name : jackrabbit-webdav (string)

product_name : Red Hat JBoss Fuse Service Works 6 (string)

}

1 : { »

cpe : cpe:/a:redhat:openshift:2 (string)

fix_state : Not affected (string)

package_name : jenkins (string)

product_name : Red Hat OpenShift Enterprise 2 (string)

}

2 : { »

cpe : cpe:/a:redhat:openshift:2 (string)

fix_state : Not affected (string)

package_name : openshift-origin-cartridge-fuse (string)

product_name : Red Hat OpenShift Enterprise 2 (string)

}

]

public_date : 2015-05-21T00:00:00Z (string)

references : [ »

0 : https://www.cve.org/CVERecord?id=CVE-2015-1833 https://nvd.nist.gov/vuln/detail/CVE-2015-1833 (string)

]

threat_severity : Moderate (string)

}

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object