[JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.0.5, 2.2.13, 2.4.5, 2.6.5, 2.8, 2.10
Fix Version/s: 0.9, 2.10.1, 2.4.6, 2.6.6, 2.8.1
Component/s: jackrabbit-webdav
Labels:
None

Description

When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.

This issue was reported by Mikhail Egorov.

Users of the jackrabbit-webdav module are advised to immediately update the
module to 2.10.1 or disable WebDAV access to the repository. Users
on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
apply the fix to the corresponding 2.x branch or disable WebDAV access until
official releases of those earlier versions are available. Patches for 2.x
branches are attached to this JIRA issue.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

CVE-2015-1833.patch
21/May/15 09:13
14 kB
Marcel Reutegger
CVE-2015-1833.txt
21/May/15 09:42
2 kB
Julian Reschke
CVE-2015-1833-jr-2.0.patch
21/May/15 09:13
13 kB
Marcel Reutegger
CVE-2015-1833-jr-2.2.patch
21/May/15 09:13
11 kB
Marcel Reutegger

Activity

People

Assignee:: Marcel Reutegger

Reporter:: Marcel Reutegger

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 21/May/15 08:06

Updated:: 03/May/23 09:10

Resolved:: 21/May/15 09:13