When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.
This issue was reported by Mikhail Egorov.
Users of the jackrabbit-webdav module are advised to immediately update the
module to 2.10.1 or disable WebDAV access to the repository. Users
on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
apply the fix to the corresponding 2.x branch or disable WebDAV access until
official releases of those earlier versions are available. Patches for 2.x
branches are attached to this JIRA issue.