Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.3
Typemaven
Namespaceorg.apache.jackrabbit
Namejackrabbit-webdav
Version2.4.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.20.11
Latest_non_vulnerable_version2.21.18
Affected_by_vulnerabilities
0
url VCID-6xn7-25dp-33c5
vulnerability_id VCID-6xn7-25dp-33c5
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2016-6801
reference_id
reference_type
scores
0
value 0.0036
scoring_system epss
scoring_elements 0.58539
published_at 2026-06-11T12:55:00Z
1
value 0.0036
scoring_system epss
scoring_elements 0.58651
published_at 2026-06-12T12:55:00Z
2
value 0.0036
scoring_system epss
scoring_elements 0.58666
published_at 2026-06-13T12:55:00Z
3
value 0.0036
scoring_system epss
scoring_elements 0.58656
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2016-6801
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6801
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6801
2
reference_url https://github.com/apache/jackrabbit
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/jackrabbit
3
reference_url https://github.com/apache/jackrabbit/commit/09393f93862923e4c8a2f8c7d1236e1a5d3373b5
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/09393f93862923e4c8a2f8c7d1236e1a5d3373b5
4
reference_url https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d
5
reference_url https://github.com/apache/jackrabbit/commit/283df6f101676579086400e30e8dd42eacd5ef33
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/283df6f101676579086400e30e8dd42eacd5ef33
6
reference_url https://github.com/apache/jackrabbit/commit/30318d5aef7bf494e579a86f45c79b18b204a997
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/30318d5aef7bf494e579a86f45c79b18b204a997
7
reference_url https://github.com/apache/jackrabbit/commit/43accb855897b0d82393d47420e25a1e4a569211
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/43accb855897b0d82393d47420e25a1e4a569211
8
reference_url https://github.com/apache/jackrabbit/commit/4908cb64317122cdd3e096ebe8c32bd98d2ed8b7
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/4908cb64317122cdd3e096ebe8c32bd98d2ed8b7
9
reference_url https://github.com/apache/jackrabbit/commit/884ede7db1c6ca490fcbb8238762b000a25f82c3
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/884ede7db1c6ca490fcbb8238762b000a25f82c3
10
reference_url https://github.com/apache/jackrabbit/commit/8dde23b63151417769eaca112fbbae9a52c47ff3
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/8dde23b63151417769eaca112fbbae9a52c47ff3
11
reference_url https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386
12
reference_url https://github.com/apache/jackrabbit/commit/cab86cdfb7829b66c89196dfb6095f0faa5aa3c3
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/cab86cdfb7829b66c89196dfb6095f0faa5aa3c3
13
reference_url https://github.com/apache/jackrabbit/commit/d6e86e4350989af3eb3eb0429d6e4d4d6bd40e5c
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/d6e86e4350989af3eb3eb0429d6e4d4d6bd40e5c
14
reference_url https://github.com/apache/jackrabbit/commit/db26ade17d791bbb4e4771ed9650ec1159a541ff
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/db26ade17d791bbb4e4771ed9650ec1159a541ff
15
reference_url https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244
16
reference_url https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700
17
reference_url https://github.com/apache/jackrabbit/commit/f05620fb3f4c72429c9856ab7f63a9ac8ca90acf
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/f05620fb3f4c72429c9856ab7f63a9ac8ca90acf
18
reference_url https://github.com/apache/jackrabbit/commit/f0bd17956647cf09cc898d30e7d58221ef409bca
reference_id
reference_type
scores
url https://github.com/apache/jackrabbit/commit/f0bd17956647cf09cc898d30e7d58221ef409bca
19
reference_url https://issues.apache.org/jira/browse/JCR-4009
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://issues.apache.org/jira/browse/JCR-4009
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2016-6801
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2016-6801
21
reference_url https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966
22
reference_url http://www.debian.org/security/2016/dsa-3679
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.debian.org/security/2016/dsa-3679
23
reference_url http://www.openwall.com/lists/oss-security/2016/09/14/6
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2016/09/14/6
24
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838204
reference_id 838204
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838204
25
reference_url https://github.com/advisories/GHSA-9fc7-rhq3-wm7x
reference_id GHSA-9fc7-rhq3-wm7x
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9fc7-rhq3-wm7x
fixed_packages
0
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.6
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ntd8-dnvq-cqa8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.6
1
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.6.6
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.6.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ntd8-dnvq-cqa8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.6.6
2
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.8.3
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ntd8-dnvq-cqa8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.8.3
3
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.10.4
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.10.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ntd8-dnvq-cqa8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.10.4
4
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.12.4
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.12.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ntd8-dnvq-cqa8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.12.4
5
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.13.3
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.13.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ntd8-dnvq-cqa8
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.13.3
aliases CVE-2016-6801, GHSA-9fc7-rhq3-wm7x
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6xn7-25dp-33c5
1
url VCID-ntd8-dnvq-cqa8
vulnerability_id VCID-ntd8-dnvq-cqa8
summary 
Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component "commons-beanutils", which contains a class that can be used for remote code execution over RMI.

Users are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.

In general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.

How to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.

The native RMI protocol by default uses port 1099. To check whether it is enabled, tools like "netstat" can be used to check.

RMI-over-HTTP in Jackrabbit by default uses the path "/rmi". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user's control.

Turning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:

        <servlet>
            <servlet-name>RMI</servlet-name>
            <servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>
        </servlet>

        <servlet-mapping>
            <servlet-name>RMI</servlet-name>
            <url-pattern>/rmi</url-pattern>
        </servlet-mapping>

Find the bootstrap.properties file (in $REPOSITORY_HOME), and set

         rmi.enabled=false

    and also remove

         rmi.host
         rmi.port
         rmi.url-pattern

 If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37895
reference_id
reference_type
scores
0
value 0.10007
scoring_system epss
scoring_elements 0.93221
published_at 2026-06-11T12:55:00Z
1
value 0.10007
scoring_system epss
scoring_elements 0.93246
published_at 2026-06-14T12:55:00Z
2
value 0.10007
scoring_system epss
scoring_elements 0.93245
published_at 2026-06-13T12:55:00Z
3
value 0.10007
scoring_system epss
scoring_elements 0.93243
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37895
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37895
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37895
2
reference_url https://github.com/apache/jackrabbit
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/jackrabbit
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37895
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37895
4
reference_url http://seclists.org/fulldisclosure/2023/Jul/43
reference_id 43
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/
url http://seclists.org/fulldisclosure/2023/Jul/43
5
reference_url http://www.openwall.com/lists/oss-security/2023/07/25/8
reference_id 8
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/
url http://www.openwall.com/lists/oss-security/2023/07/25/8
6
reference_url https://github.com/advisories/GHSA-q8cm-3v62-jj79
reference_id GHSA-q8cm-3v62-jj79
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-q8cm-3v62-jj79
7
reference_url https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw
reference_id j03b3qdhborc2jrhdc4d765d3jkh8bfw
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/
url https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw
8
reference_url https://lists.apache.org/list.html?users@jackrabbit.apache.org
reference_id list.html?users@jackrabbit.apache.org
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/
url https://lists.apache.org/list.html?users@jackrabbit.apache.org
fixed_packages
0
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.20.11
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.20.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.20.11
1
url pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.21.18
purl pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.21.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.21.18
aliases CVE-2023-37895, GHSA-q8cm-3v62-jj79
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ntd8-dnvq-cqa8
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.3