Uploaded image for project: 'Jackrabbit Content Repository'
  1. Jackrabbit Content Repository
  2. JCR-3883

Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.0.5, 2.2.13, 2.4.5, 2.6.5, 2.8, 2.10
    • Fix Version/s: 0.9, 2.10.1, 2.4.6, 2.6.6, 2.8.1
    • Component/s: jackrabbit-webdav
    • Labels:
      None

      Description

      When processing a WebDAV request body containing XML, the XML parser can be
      instructed to read content from network resources accessible to the host,
      identified by URI schemes such as "http(s)" or "file". Depending on the
      WebDAV request, this can not only be used to trigger internal network
      requests, but might also be used to insert said content into the request,
      potentially exposing it to the attacker and others (for instance, by inserting
      said content in a WebDAV property value using a PROPPATCH request). See also
      IETF RFC 4918, Section 20.6.

      This issue was reported by Mikhail Egorov.

      Users of the jackrabbit-webdav module are advised to immediately update the
      module to 2.10.1 or disable WebDAV access to the repository. Users
      on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
      apply the fix to the corresponding 2.x branch or disable WebDAV access until
      official releases of those earlier versions are available. Patches for 2.x
      branches are attached to this JIRA issue.

        Attachments

        1. CVE-2015-1833-jr-2.0.patch
          13 kB
          Marcel Reutegger
        2. CVE-2015-1833-jr-2.2.patch
          11 kB
          Marcel Reutegger
        3. CVE-2015-1833.patch
          14 kB
          Marcel Reutegger
        4. CVE-2015-1833.txt
          2 kB
          Julian Reschke

          Activity

            People

            • Assignee:
              mreutegg Marcel Reutegger
              Reporter:
              mreutegg Marcel Reutegger
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: