XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
CVE-2015-1833
- High exploitation likelihood — EPSS 51%
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- —
- EG Score
- 0.0(none)
- EPSS
- 98.8%
- KEV
- Not listed
Published
May 29, 2015
Last Modified
May 6, 2026
References (16)
- secalert@redhathttp://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- secalert@redhathttp://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- secalert@redhathttp://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- secalert@redhathttp://www.debian.org/security/2015/dsa-3298
- secalert@redhathttp://www.securityfocus.com/archive/1/535582/100/0/threaded
- secalert@redhathttp://www.securityfocus.com/bid/74761
- secalert@redhathttps://issues.apache.org/jira/browse/JCR-3883
- secalert@redhathttps://www.exploit-db.com/exploits/37110/
- af854a3a-2127-422b-91ae-364da2661108http://mail-archives.apache.org/mod_mbox/jackrabbit-announce/201505.mbox/%3C555DA644.8080908%40greenbytes.de%3E
- af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/132005/Jackrabbit-WebDAV-XXE-Injection.html
- af854a3a-2127-422b-91ae-364da2661108http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt
- af854a3a-2127-422b-91ae-364da2661108http://www.debian.org/security/2015/dsa-3298
- af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/archive/1/535582/100/0/threaded
- af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/74761
- af854a3a-2127-422b-91ae-364da2661108https://issues.apache.org/jira/browse/JCR-3883
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.jackrabbit:jackrabbit-core | 2.10.0 | 2.10.1 | — |
Data Freshness Timeline
(refreshed 4× in last 7d / 27× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-12 17:37 UTCOSV refresh
- 2026-07-12 05:42 UTCEPSS rescore
- 2026-07-09 19:05 UTCEPSS rescore
- 2026-07-08 15:10 UTCEPSS rescore
- 2026-07-05 02:26 UTCEPSS rescore
- 2026-07-02 15:21 UTCEPSS rescore
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-27 03:05 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-24 00:29 UTCOSV refresh
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-18 17:50 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-17 17:49 UTCEPSS rescore
- 2026-06-15 17:45 UTCEPSS rescore
- 2026-06-14 23:14 UTCEPSS rescore
Show 41 moreShow fewer
- 2026-06-13 22:57 UTCEPSS rescore
- 2026-06-12 23:09 UTCEPSS rescore
- 2026-06-11 13:57 UTCEPSS rescore
- 2026-06-10 22:15 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-07 15:22 UTCEPSS rescore
- 2026-06-07 06:55 UTCOSV refresh
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:09 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-06-02 20:10 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-29 13:41 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-24 16:43 UTCEPSS rescore
- 2026-05-23 15:10 UTCEPSS rescore
- 2026-05-23 01:18 UTCEG score recompute
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 09:07 UTCOSV refresh
- 2026-05-21 22:40 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-20 11:21 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
- 2026-05-18 21:30 UTCEPSS rescore
Publicly available exploits
(1 reference)Working exploit code is in the public domain (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-37110First seen May 26, 2015
Apache JackRabbit - WebDAV XML External Entity
Open source ↗
Frequently asked(4)
What is CVE-2015-1833?
When was CVE-2015-1833 disclosed?
Is CVE-2015-1833 actively exploited?
How do I remediate CVE-2015-1833?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2015-1833
Is Your Infrastructure Affected by CVE-2015-1833?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.