CVE-2025-53689
BaseFortify
Publication date: 2025-07-14
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | jackrabbit | From 1.0.0 (inc) to 2.22.2 (inc) |
| apache | jackrabbit | 2.22.0 |
| apache | jackrabbit | 2.23.0 |
| apache | jackrabbit | 2.23.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Blind XML External Entity (XXE) issue found in Apache Jackrabbit's jackrabbit-spi-commons and jackrabbit-core components before version 2.23.2. It occurs because these components use an unsecured document builder to load privileges, which can be exploited by attackers to perform unauthorized actions or access sensitive data.
How can this vulnerability impact me? :
The vulnerability can allow attackers to exploit the unsecured document builder to potentially access sensitive information or perform unauthorized actions within the affected Apache Jackrabbit components. This could lead to data breaches or compromise of system integrity.
What immediate steps should I take to mitigate this vulnerability?
Users should upgrade Apache Jackrabbit to versions 2.20.17 (Java 8), 2.22.1 (Java 11), or 2.23.2 (Java 11, beta versions) which fix this issue. Earlier versions up to 2.20.16 are not supported and should be updated to the respective supported version.