Primary

Context

Apache Jackrabbit Core and JCR Commons Deserialization Vulnerability Allowing JNDI Injection

Vulnerability

Patched

A deserialization vulnerability allowing for the injection of malicious JNDI references has been identified in Apache Jackrabbit Core versions 1.0.0 prior to 2.22.1 and Apache Jackrabbit JCR Commons versions 1.0.0 prior to 2.22.1. This vulnerability arises in deployments that accept JNDI URIs for JCR lookup from untrusted users, potentially leading to arbitrary code execution through the deserialization of untrusted data.

Impact

Exploitation of this vulnerability could result in arbitrary code execution on the server where Apache Jackrabbit is deployed.

Remediation

Users are advised to upgrade to Apache Jackrabbit version 2.22.2, in which JCR lookup through JNDI has been disabled by default. Those who require this feature should enable it explicitly and review their use of JNDI URIs for JCR lookup.

Added: Sep 8, 2025, 9:16 AM

Updated: Sep 8, 2025, 4:51 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

6.3

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

6.3

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Jackrabbit Core and JCR Commons Deserialization Vulnerability Allowing JNDI Injection

Vulnerability

Impact

Remediation

Affected Products

Apache Jackrabbit Core

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating