GHSA-44c3-38h8-9fh9

Suggest an improvement
Source
https://github.com/advisories/GHSA-44c3-38h8-9fh9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-44c3-38h8-9fh9/GHSA-44c3-38h8-9fh9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-44c3-38h8-9fh9
Aliases
Published
2025-07-14T12:30:27Z
Modified
2025-07-14T21:42:25.161722Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Jackrabbit vulnerable to blind XXE attack due to insecure document build
Details

Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges.

Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

Database specific 
{
    "github_reviewed": true,
    "severity": "HIGH",
    "github_reviewed_at": "2025-07-14T21:18:10Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "nvd_published_at": "2025-07-14T10:15:28Z"
}
References

Affected packages

Maven / org.apache.jackrabbit:jackrabbit-spi-commons

Package

Name
org.apache.jackrabbit:jackrabbit-spi-commons
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jackrabbit/jackrabbit-spi-commons

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.20.0
Fixed
2.20.17

Affected versions

2.*

2.20.0
2.20.1
2.20.2
2.20.3
2.20.4
2.20.5
2.20.6
2.20.7
2.20.8
2.20.9
2.20.10
2.20.11
2.20.12
2.20.13
2.20.14
2.20.15
2.20.16

Maven / org.apache.jackrabbit:jackrabbit-spi-commons

Package

Name
org.apache.jackrabbit:jackrabbit-spi-commons
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jackrabbit/jackrabbit-spi-commons

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.22.0
Fixed
2.22.1

Affected versions

2.*

2.22.0

Maven / org.apache.jackrabbit:jackrabbit-spi-commons

Package

Name
org.apache.jackrabbit:jackrabbit-spi-commons
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jackrabbit/jackrabbit-spi-commons

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.23.0-beta
Fixed
2.23.2-beta

Affected versions

2.*

2.23.0-beta
2.23.1-beta

Maven / org.apache.jackrabbit:jackrabbit-core

Package

Name
org.apache.jackrabbit:jackrabbit-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jackrabbit/jackrabbit-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.23.0-beta
Fixed
2.23.2-beta

Affected versions

2.*

2.23.0-beta
2.23.1-beta

Maven / org.apache.jackrabbit:jackrabbit-core

Package

Name
org.apache.jackrabbit:jackrabbit-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jackrabbit/jackrabbit-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.20.0
Fixed
2.20.17

Affected versions

2.*

2.20.0
2.20.1
2.20.2
2.20.3
2.20.4
2.20.5
2.20.6
2.20.7
2.20.8
2.20.9
2.20.10
2.20.11
2.20.12
2.20.13
2.20.14
2.20.15
2.20.16

Maven / org.apache.jackrabbit:jackrabbit-core

Package

Name
org.apache.jackrabbit:jackrabbit-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.jackrabbit/jackrabbit-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.22.0
Fixed
2.22.1

Affected versions

2.*

2.22.0