CVE-2025-53689

Apache Jackrabbit: XXE vulnerability in jackrabbit-spi-commons

CVSS 8.8 HIGHEPSS 0.5%CWE-611

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.8EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

14 jul 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Productos afectados

Apache Software Foundation · Apache Jackrabbit

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://lists.apache.org/thread/5pf9n76ny13pzzk765og2h3gxdxw7p24 http://www.openwall.com/lists/oss-security/2025/07/14/1