CVE-2015-1833

XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.

Published: May 29, 2015
Updated: Nov 9, 2025
CVE: CVE-2015-1833
GHSA: GHSA-9284-j4c9-779q
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
apache / jackrabbit	2.2.13	2.2.13.x
apache / jackrabbit	2.2.10	2.2.10.x
apache / jackrabbit	2.4.3	2.4.3.x
apache / jackrabbit	2.2.9	2.2.9.x
apache / jackrabbit	-	2.0.5.x
apache / jackrabbit	2.6.5	2.6.5.x
apache / jackrabbit	2.2.5	2.2.5.x
apache / jackrabbit	2.2.8	2.2.8.x
apache / jackrabbit	2.4.1	2.4.1.x
apache / jackrabbit	2.8.0	2.8.0.x
apache / jackrabbit	2.6.2	2.6.2.x
apache / jackrabbit	2.2.0	2.2.0.x
apache / jackrabbit	2.6.0	2.6.0.x
apache / jackrabbit	2.6.3	2.6.3.x
apache / jackrabbit	2.4.0	2.4.0.x
apache / jackrabbit	2.4.2	2.4.2.x
apache / jackrabbit	2.2.11	2.2.11.x
apache / jackrabbit	2.4.4	2.4.4.x
apache / jackrabbit	2.2.4	2.2.4.x
apache / jackrabbit	2.2.2	2.2.2.x
apache / jackrabbit	2.2.1	2.2.1.x
apache / jackrabbit	2.2.12	2.2.12.x
apache / jackrabbit	2.4.5	2.4.5.x
apache / jackrabbit	2.6.1	2.6.1.x
apache / jackrabbit	2.10.0	2.10.0.x
apache / jackrabbit	2.2.7	2.2.7.x
apache / jackrabbit	2.6.4	2.6.4.x
org.apache.jackrabbit / jackrabbit-core	-	2.0.6
org.apache.jackrabbit / jackrabbit-core	2.2.0	2.2.14
org.apache.jackrabbit / jackrabbit-core	2.4.0	2.4.6
org.apache.jackrabbit / jackrabbit-core	2.6.0	2.6.6
org.apache.jackrabbit / jackrabbit-core	2.8.0	2.8.0.x
org.apache.jackrabbit / jackrabbit-core	2.8.0	2.8.1
org.apache.jackrabbit / jackrabbit-core	2.10.0	2.10.0.x
org.apache.jackrabbit / jackrabbit-core	2.10.0	2.10.1

Vulnerability Database

318,389

CVE-2015-1833

Deep Security Visibility Without the Complexity