CVE-2015-1833
CVE-2015-1833 is a medium-severity vulnerability in Apache Jackrabbit with a CVSS 2.0 base score of 6.4. Its EPSS exploit-prediction score of 51% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-20.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.4)
- EPSS exploit prediction: 51% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Apache Jackrabbit
- Published:
- Last modified:
Description
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Frequently asked questions
- What is CVE-2015-1833?
- XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
- How severe is CVE-2015-1833?
- CVE-2015-1833 has a CVSS 2.0 base score of 6.4, rated medium severity.
- Is CVE-2015-1833 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 51% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2015-1833?
- CVE-2015-1833 primarily affects Apache Jackrabbit. In total, 27 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2015-1833?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2015-1833 published?
- CVE-2015-1833 was published on 2015-05-29 and last updated on 2026-06-17.
References
- http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- http://www.debian.org/security/2015/dsa-3298
- http://www.securityfocus.com/archive/1/535582/100/0/threaded
- http://www.securityfocus.com/bid/74761
- https://issues.apache.org/jira/browse/JCR-3883
- https://www.exploit-db.com/exploits/37110/
Affected products (27)
- cpe:2.3:a:apache:jackrabbit:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:jackrabbit:2.10.0:*:*:*:*:*:*:*
More vulnerabilities in Apache Jackrabbit
- CVE-2023-37895 — Critical (CVSS 9.8): Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute…
- CVE-2025-53689 — High (CVSS 8.8): Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of…
- CVE-2016-6801 — High (CVSS 8.8): Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache…
- CVE-2025-58782 — Medium (CVSS 6.5): Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This…
- CVE-2009-0026 — Medium (CVSS 4.3): Multiple cross-site scripting (XSS) vulnerabilities in Apache Jackrabbit before 1.5.2 allow remote attackers to inject…
All CVEs affecting Apache Jackrabbit →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →