CVE-2015-1833
Summary
| CVE | CVE-2015-1833 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-05-29 15:59:13 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
NoneAV:N/AC:L/Au:N/C:P/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Jackrabbit | 2.10.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.10 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.11 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.12 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.13 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.4 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.5 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.7 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.8 | All | All | All |
| Application | Apache | Jackrabbit | 2.2.9 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.3 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.4 | All | All | All |
| Application | Apache | Jackrabbit | 2.4.5 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.0 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.1 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.2 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.3 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.4 | All | All | All |
| Application | Apache | Jackrabbit | 2.6.5 | All | All | All |
| Application | Apache | Jackrabbit | 2.8.0 | All | All | All |
| Application | Apache | Jackrabbit | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache JackRabbit - WebDAV XML External Entity - Java webapps Exploit | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | Exploit |
| Apache Jackrabbit CVE-2015-1833 XML External Entity Information Disclosure Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| 404 Not Found | af854a3a-2127-422b-91ae-364da2661108 | www.apache.org | Vendor Advisory |
| Jackrabbit WebDAV XXE Injection ≈ Packet Storm | af854a3a-2127-422b-91ae-364da2661108 | packetstormsecurity.com | |
| [JCR-3883] Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) - ASF JIRA | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | Vendor Advisory |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| CVE-2015-1833 (Jackrabbit WebDAV XXE vulnerability) | af854a3a-2127-422b-91ae-364da2661108 | mail-archives.apache.org | Vendor Advisory |
| Debian -- Security Information -- DSA-3298-1 jackrabbit | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 150423 Adobe Experience Manager: WebDAV Exposed