You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Marcel Reutegger (JIRA)" <ji...@apache.org> on 2015/05/21 11:13:01 UTC
[jira] [Updated] (JCR-3883) Jackrabbit WebDAV bundle susceptible to
XXE/XEE attack
[ https://issues.apache.org/jira/browse/JCR-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcel Reutegger updated JCR-3883:
----------------------------------
Description:
When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others (for instance, by inserting
said content in a WebDAV property value using a PROPPATCH request). See also
IETF RFC 4918, Section 20.6.
This issue was reported by Mikhail Egorov.
Users of the jackrabbit-webdav module are advised to immediately update the
module to 2.10.1 or disable WebDAV access to the repository. Users
on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
apply the fix to the corresponding 2.x branch or disable WebDAV access until
official releases of those earlier versions are available. Patches for 2.x
branches are attached to this JIRA issue.
Affects Version/s: 2.0
2.2
2.4
2.6
2.8
2.10
Fix Version/s: 2.10.1
> Jackrabbit WebDAV bundle susceptible to XXE/XEE attack
> ------------------------------------------------------
>
> Key: JCR-3883
> URL: https://issues.apache.org/jira/browse/JCR-3883
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webdav
> Affects Versions: 2.0, 2.2, 2.4, 2.6, 2.8, 2.10
> Reporter: Marcel Reutegger
> Assignee: Marcel Reutegger
> Priority: Critical
> Fix For: 2.10.1
>
>
> When processing a WebDAV request body containing XML, the XML parser can be
> instructed to read content from network resources accessible to the host,
> identified by URI schemes such as "http(s)" or "file". Depending on the
> WebDAV request, this can not only be used to trigger internal network
> requests, but might also be used to insert said content into the request,
> potentially exposing it to the attacker and others (for instance, by inserting
> said content in a WebDAV property value using a PROPPATCH request). See also
> IETF RFC 4918, Section 20.6.
> This issue was reported by Mikhail Egorov.
> Users of the jackrabbit-webdav module are advised to immediately update the
> module to 2.10.1 or disable WebDAV access to the repository. Users
> on earlier versions of Jackrabbit who are unable to upgrade to 2.10.1 should
> apply the fix to the corresponding 2.x branch or disable WebDAV access until
> official releases of those earlier versions are available. Patches for 2.x
> branches are attached to this JIRA issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)