You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Julian Reschke (JIRA)" <ji...@apache.org> on 2016/06/15 14:04:09 UTC
[jira] [Commented] (JCR-3883) Jackrabbit WebDAV bundle susceptible
to XXE/XEE attack (CVE-2015-1833)
[ https://issues.apache.org/jira/browse/JCR-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15331796#comment-15331796 ]
Julian Reschke commented on JCR-3883:
-------------------------------------
trunk: http://svn.apache.org/r1680757
2.12: http://svn.apache.org/r1680757
2.10: http://svn.apache.org/r1680757
2.8: http://svn.apache.org/r1680785
2.6: http://svn.apache.org/r1680794
2.4: http://svn.apache.org/r1680798
> Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833)
> ----------------------------------------------------------------------
>
> Key: JCR-3883
> URL: https://issues.apache.org/jira/browse/JCR-3883
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
> Affects Versions: 2.0.5, 2.2.13, 2.4.5, 2.6.5, 2.8, 2.10
> Reporter: Marcel Reutegger
> Assignee: Marcel Reutegger
> Priority: Critical
> Fix For: 2.10.1, 2.0.6, 2.2.14, 2.4.6, 2.6.6, 2.8.1
>
> Attachments: CVE-2015-1833-jr-2.0.patch, CVE-2015-1833-jr-2.2.patch, CVE-2015-1833.patch, CVE-2015-1833.txt
>
>
> When processing a WebDAV request body containing XML, the XML parser can be
> instructed to read content from network resources accessible to the host,
> identified by URI schemes such as "http(s)" or "file". Depending on the
> WebDAV request, this can not only be used to trigger internal network
> requests, but might also be used to insert said content into the request,
> potentially exposing it to the attacker and others (for instance, by inserting
> said content in a WebDAV property value using a PROPPATCH request). See also
> IETF RFC 4918, Section 20.6.
> This issue was reported by Mikhail Egorov.
> Users of the jackrabbit-webdav module are advised to immediately update the
> module to 2.10.1 or disable WebDAV access to the repository. Users
> on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
> apply the fix to the corresponding 2.x branch or disable WebDAV access until
> official releases of those earlier versions are available. Patches for 2.x
> branches are attached to this JIRA issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)