Source: jackrabbit Version: 2.20.11-1.1 Severity: important Tags: security upstream Forwarded: https://issues.apache.org/jira/browse/JCR-5135 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2.20.3-1
Hi, The following vulnerability was published for jackrabbit. CVE-2025-58782[0]: | Deserialization of Untrusted Data vulnerability in Apache Jackrabbit | Core and Apache Jackrabbit JCR Commons. This issue affects Apache | Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR | Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI | URIs for JCR lookup from untrusted users allows them to inject | malicious JNDI references, potentially leading to arbitrary code | execution through deserialization of untrusted data. Users are | recommended to upgrade to version 2.22.2. JCR lookup through JNDI | has been disabled by default in 2.22.2. Users of this feature need | to enable it explicitly and are adviced to review their use of JNDI | URI for JCR lookup. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-58782 https://www.cve.org/CVERecord?id=CVE-2025-58782 [1] https://www.openwall.com/lists/oss-security/2025/09/06/3 [2] https://issues.apache.org/jira/browse/JCR-5135 [3] https://github.com/apache/jackrabbit/commit/c6335271e95f3a660962212584dc19e6f23969b0 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
