Bug#1109335: jackrabbit: CVE-2025-53689
Moritz Mühlenhoff
jmm at inutil.org
Tue Jul 15 13:30:45 BST 2025
Package: jackrabbit
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for jackrabbit.
CVE-2025-53689[0]:
| Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-
| core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured
| document build to load privileges. Users are recommended to upgrade
| to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11,
| beta versions), which fix this issue. Earlier versions (up to
| 2.20.16) are not supported anymore, thus users should update to the
| respective supported version.
It's not clear to me if the subset of functionality shipped in the
Debian package is affected by this, needs further investigation:
https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-53689
https://www.cve.org/CVERecord?id=CVE-2025-53689
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list