Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 553810 (CVE-2015-1833)

Summary: <dev-java/jackrabbit-webdav-2.10.1: XXE (XSS) vulnerability, may disclose local files (CVE-2015-1833)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1833
Whiteboard: ~3 [noglsa/cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2015-07-02 19:12:46 UTC 
From URL:
----
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
----
https://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
https://issues.apache.org/jira/browse/JCR-3883

Reproducible: Always
Comment 1 Patrice Clement gentoo-dev 2015-07-02 21:34:39 UTC 
I bumped jackrabbit-webdav a little while ago due to another CVE. Hence, we have the latest version available in Portage (2.10.1), which is, fortunately, not affected by this CVE. You can close this bug.