{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-05-21T00:00:00", "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-3298", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3298"}, {"name": "74761", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74761"}, {"name": "37110", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/37110/"}, {"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2015-1833", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3298", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3298"}, {"name": "74761", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74761"}, {"name": "37110", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/37110/"}, {"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "refsource": "MLIST", "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"name": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt", "refsource": "CONFIRM", "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"name": "https://issues.apache.org/jira/browse/JCR-3883", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"name": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:54:16.299Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3298", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3298"}, {"name": "74761", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74761"}, {"name": "37110", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/37110/"}, {"name": "[jackrabbit-announce] 20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"name": "20150521 CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-1833", "datePublished": "2015-05-29T15:00:00", "dateReserved": "2015-02-17T00:00:00", "dateUpdated": "2024-08-06T04:54:16.299Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCA488EB-6AEF-4C3B-B9EC-0269E4C16B8F", "versionEndIncluding": "2.0.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE38C192-C0E9-4F30-A4F2-9D4645F76502", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "82E60C57-AC1E-41DC-9B19-7AC1166DC8DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "AECF5291-3FDC-431D-9315-F594AD312B9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "DD5A9474-5FBC-43CF-824A-F5854FC765BD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "34E6CC63-EA31-4E7E-ABA8-7EB135C95EBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "F7CB306C-90E2-479A-88F4-8A7BE952FC86", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:*", "matchCriteriaId": "428DB1B1-8640-4A3D-8582-940B91B75B4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:*", "matchCriteriaId": "1A7E3CB1-A333-43F8-B5F8-B39844D0FD3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:*", "matchCriteriaId": "BFAFC7B2-8421-4E21-9EC1-11FF17456C5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:*", "matchCriteriaId": "1B7161CD-E03A-4A2C-9048-3765D82DF35E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:*", "matchCriteriaId": "5695D7A0-35D6-4780-8D07-67FD6270057F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:*", "matchCriteriaId": "AAC1D0EF-7B96-4DB3-9925-0F872AF092EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "765A2672-88CB-40B6-811A-9F4FB503B9A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "AA4CC344-B6B9-48A9-8464-73486964F484", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "E361D843-4697-4478-BE2B-4C4E07DC420D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "16B89FBF-D0D6-4126-9DBB-80E8DFE630EA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "B190B1F0-4EAD-48EE-A894-B776537A2ECA", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "93B767E2-4E1E-4AF6-BF65-C07769DE88C6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "C1C9DD4F-690E-4627-8C20-4931E5039D95", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "ACED7AF6-383C-4038-9823-BD5F2F054011", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "A7CFAABB-1E6D-40A4-AE3E-A36A8627CE7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "F83F02AC-0A32-4949-9EF8-2D3BC3272B08", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "21C97A68-5B82-4830-80A9-33052E73A9A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "D11B4EE2-94EB-4CF3-9E4C-5F0BF86080E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "FDD80948-AE24-4CA7-97C0-8017E5504A70", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "09FE0F9B-6342-4C92-9EC5-561AAAC2034A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."}, {"lang": "es", "value": "Vulnerabilidad de entidad externa XML (XXE) en Apache Jackrabbit anterior a 2.0.6, 2.2.x anterior a 2.2.14, 2.4.x anterior a 2.4.6, 2.6.x anterior a 2.6.6, 2.8.x anterior a 2.8.1, y 2.10.x anterior a 2.10.1 permite a atacantes remotos leer ficheros arbitrarios y enviar solicitudes a servicios de intranet a trav\u00e9s de una solicitud WebDAV manipulada."}], "id": "CVE-2015-1833", "lastModified": "2024-11-21T02:26:14.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-05-29T15:59:13.063", "references": [{"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"source": "[email protected]", "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"source": "[email protected]", "url": "http://www.debian.org/security/2015/dsa-3298"}, {"source": "[email protected]", "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"source": "[email protected]", "url": "http://www.securityfocus.com/bid/74761"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"source": "[email protected]", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/37110/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2015/dsa-3298"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/535582/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/74761"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/JCR-3883"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.exploit-db.com/exploits/37110/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "jackrabbit: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack", "id": "1223883", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1223883"}, "csaw": false, "cvss": {"cvss_base_score": "6.4", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "status": "draft"}, "details": ["XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request."], "name": "CVE-2015-1833", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Not affected", "package_name": "jackrabbit-webdav", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "jenkins", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "openshift-origin-cartridge-fuse", "product_name": "Red Hat OpenShift Enterprise 2"}], "public_date": "2015-05-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-1833\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-1833"], "threat_severity": "Moderate", "upstream_fix": "Apache Jackrabbit 2.10.1"}