Bug#1109335: jackrabbit: CVE-2025-53689
Adrian Bunk
bunk at debian.org
Tue Aug 5 03:38:17 BST 2025
On Tue, Jul 15, 2025 at 02:30:45PM +0200, Moritz Mühlenhoff wrote:
> Package: jackrabbit
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
>
> Hi,
>
> The following vulnerability was published for jackrabbit.
>
> CVE-2025-53689[0]:
> | Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-
> | core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured
> | document build to load privileges. Users are recommended to upgrade
> | to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11,
> | beta versions), which fix this issue. Earlier versions (up to
> | 2.20.16) are not supported anymore, thus users should update to the
> | respective supported version.
>
> It's not clear to me if the subset of functionality shipped in the
> Debian package is affected by this, needs further investigation:
>...
It looks not affected to me:
https://github.com/apache/jackrabbit/commit/1d6cb3d0fcc8d51980b90ddcf94122d3e4add83e
$ jar tf /usr/share/java/jackrabbit-webdav.jar | grep DOMWalker
$ jar tf /usr/share/java/jackrabbit-webdav.jar | grep PrivilegeXmlHandler
$
Could a Java Maintainer confirm that I am not missing anything here?
Thanks
Adrian
More information about the pkg-java-maintainers
mailing list