Primary

Context

Apache Jackrabbit Blind XXE Vulnerability in jackrabbit-spi-commons and jackrabbit-core

Vulnerability

Patched

A blind XML External Entity (XXE) vulnerability has been identified in Apache Jackrabbit versions prior to 2.23.2. This vulnerability arises in the jackrabbit-spi-commons and jackrabbit-core components, due to the use of an unsecured document builder that loads privileges. As a result, it allows for blind XXE attacks, where an attacker can exploit the XML parsing to access internal resources or files.

Impact

Exploitation of this vulnerability allows for blind XML External Entity attacks, where an attacker can manipulate XML data to access internal resources or files, potentially leading to further exploitation or information disclosure.

Remediation

Users are advised to upgrade to Apache Jackrabbit versions 2.20.17 (Java 8), 2.22.1 (Java 11), or 2.23.2 (Java 11, beta versions), all of which address this vulnerability. Earlier versions up to 2.20.16 are no longer supported.

Added: Jul 14, 2025, 10:19 AM

Updated: Jul 14, 2025, 10:19 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

7.0

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

7.0

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Jackrabbit Blind XXE Vulnerability in jackrabbit-spi-commons and jackrabbit-core

Vulnerability

Impact

Remediation

Affected Products

Apache Jackrabbit

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating