Moderate severityNVD Advisory· Published May 29, 2015· Updated Jun 17, 2026
CVE-2015-1833
CVE-2015-1833
Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.jackrabbit:jackrabbit-coreMaven | < 2.0.6 | 2.0.6 |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.2.0, < 2.2.14 | 2.2.14 |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.4.0, < 2.4.6 | 2.4.6 |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.6.0, < 2.6.6 | 2.6.6 |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.8.0, < 2.8.1 | 2.8.1 |
org.apache.jackrabbit:jackrabbit-coreMaven | >= 2.10.0, < 2.10.1 | 2.10.1 |
Affected products
28cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*+ 26 more
- cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*range: <=2.0.5
- cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
18- www.exploit-db.com/exploits/37110/nvdExploit
- mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3EnvdVendor AdvisoryWEB
- www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txtnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-9284-j4c9-779qghsaADVISORY
- issues.apache.org/jira/browse/JCR-3883nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-1833ghsaADVISORY
- packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.htmlnvdWEB
- www.debian.org/security/2015/dsa-3298nvdWEB
- github.com/apache/jackrabbit/commit/17e9f68f5a3f05ded20569777a7b07422680612dghsaWEB
- github.com/apache/jackrabbit/commit/26e601934d0f439f0a61d62265f52936d79df40dghsaWEB
- github.com/apache/jackrabbit/commit/3903739363b79deb7579802fbc27b9b7448218b2ghsaWEB
- github.com/apache/jackrabbit/commit/6191b366c607e65325a0116097aca8a359b36486ghsaWEB
- github.com/apache/jackrabbit/commit/89c5c4ed6ab250ad609829517f167d2dbe0abdd0ghsaWEB
- github.com/apache/jackrabbit/commit/b7fa1ae39641936872617ff95363353b0345b777ghsaWEB
- github.com/apache/jackrabbit/commit/ddf9a3cd408397d0805917299c4114b09449373dghsaWEB
- www.exploit-db.com/exploits/37110ghsaWEB
- www.securityfocus.com/archive/1/535582/100/0/threadednvd
- www.securityfocus.com/bid/74761nvd
News mentions
0No linked articles in our index yet.