{"url":"http://public2.vulnerablecode.io/api/packages/561421?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.5","type":"maven","namespace":"org.apache.jackrabbit","name":"jackrabbit-webdav","version":"2.4.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.20.11","latest_non_vulnerable_version":"2.21.18","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/30320?format=json","vulnerability_id":"VCID-6xn7-25dp-33c5","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6801","reference_id":"","reference_type":"","scores":[{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58539","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58651","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-6801"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6801","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6801"},{"reference_url":"https://github.com/apache/jackrabbit","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/jackrabbit"},{"reference_url":"https://github.com/apache/jackrabbit/commit/09393f93862923e4c8a2f8c7d1236e1a5d3373b5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/09393f93862923e4c8a2f8c7d1236e1a5d3373b5"},{"reference_url":"https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d"},{"reference_url":"https://github.com/apache/jackrabbit/commit/283df6f101676579086400e30e8dd42eacd5ef33","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/283df6f101676579086400e30e8dd42eacd5ef33"},{"reference_url":"https://github.com/apache/jackrabbit/commit/30318d5aef7bf494e579a86f45c79b18b204a997","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/30318d5aef7bf494e579a86f45c79b18b204a997"},{"reference_url":"https://github.com/apache/jackrabbit/commit/43accb855897b0d82393d47420e25a1e4a569211","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/43accb855897b0d82393d47420e25a1e4a569211"},{"reference_url":"https://github.com/apache/jackrabbit/commit/4908cb64317122cdd3e096ebe8c32bd98d2ed8b7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/4908cb64317122cdd3e096ebe8c32bd98d2ed8b7"},{"reference_url":"https://github.com/apache/jackrabbit/commit/884ede7db1c6ca490fcbb8238762b000a25f82c3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/884ede7db1c6ca490fcbb8238762b000a25f82c3"},{"reference_url":"https://github.com/apache/jackrabbit/commit/8dde23b63151417769eaca112fbbae9a52c47ff3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/8dde23b63151417769eaca112fbbae9a52c47ff3"},{"reference_url":"https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/987168c04327fd4fbbb4fb9d13ae92d5ca888386"},{"reference_url":"https://github.com/apache/jackrabbit/commit/cab86cdfb7829b66c89196dfb6095f0faa5aa3c3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/cab86cdfb7829b66c89196dfb6095f0faa5aa3c3"},{"reference_url":"https://github.com/apache/jackrabbit/commit/d6e86e4350989af3eb3eb0429d6e4d4d6bd40e5c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/d6e86e4350989af3eb3eb0429d6e4d4d6bd40e5c"},{"reference_url":"https://github.com/apache/jackrabbit/commit/db26ade17d791bbb4e4771ed9650ec1159a541ff","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/db26ade17d791bbb4e4771ed9650ec1159a541ff"},{"reference_url":"https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244"},{"reference_url":"https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700"},{"reference_url":"https://github.com/apache/jackrabbit/commit/f05620fb3f4c72429c9856ab7f63a9ac8ca90acf","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/f05620fb3f4c72429c9856ab7f63a9ac8ca90acf"},{"reference_url":"https://github.com/apache/jackrabbit/commit/f0bd17956647cf09cc898d30e7d58221ef409bca","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/jackrabbit/commit/f0bd17956647cf09cc898d30e7d58221ef409bca"},{"reference_url":"https://issues.apache.org/jira/browse/JCR-4009","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://issues.apache.org/jira/browse/JCR-4009"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6801","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-6801"},{"reference_url":"https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966"},{"reference_url":"http://www.debian.org/security/2016/dsa-3679","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2016/dsa-3679"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/09/14/6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2016/09/14/6"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838204","reference_id":"838204","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=838204"},{"reference_url":"https://github.com/advisories/GHSA-9fc7-rhq3-wm7x","reference_id":"GHSA-9fc7-rhq3-wm7x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9fc7-rhq3-wm7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/386509?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ntd8-dnvq-cqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/386510?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.6.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ntd8-dnvq-cqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.6.6"},{"url":"http://public2.vulnerablecode.io/api/packages/386511?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.8.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ntd8-dnvq-cqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.8.3"},{"url":"http://public2.vulnerablecode.io/api/packages/386512?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.10.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ntd8-dnvq-cqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.10.4"},{"url":"http://public2.vulnerablecode.io/api/packages/386513?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.12.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ntd8-dnvq-cqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.12.4"},{"url":"http://public2.vulnerablecode.io/api/packages/386514?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ntd8-dnvq-cqa8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.13.3"}],"aliases":["CVE-2016-6801","GHSA-9fc7-rhq3-wm7x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6xn7-25dp-33c5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/138387?format=json","vulnerability_id":"VCID-ntd8-dnvq-cqa8","summary":"Java object deserialization issue in Jackrabbit webapp/standalone on all platforms allows attacker to remotely execute code via RMIVersions up to (including) 2.20.10 (stable branch) and 2.21.17 (unstable branch) use the component \"commons-beanutils\", which contains a class that can be used for remote code execution over RMI.\n\nUsers are advised to immediately update to versions 2.20.11 or 2.21.18. Note that earlier stable branches (1.0.x .. 2.18.x) have been EOLd already and do not receive updates anymore.\n\nIn general, RMI support can expose vulnerabilities by the mere presence of an exploitable class on the classpath. Even if Jackrabbit itself does not contain any code known to be exploitable anymore, adding other components to your server can expose the same type of problem. We therefore recommend to disable RMI access altogether (see further below), and will discuss deprecating RMI support in future Jackrabbit releases.\n\nHow to check whether RMI support is enabledRMI support can be over an RMI-specific TCP port, and over an HTTP binding. Both are by default enabled in Jackrabbit webapp/standalone.\n\nThe native RMI protocol by default uses port 1099. To check whether it is enabled, tools like \"netstat\" can be used to check.\n\nRMI-over-HTTP in Jackrabbit by default uses the path \"/rmi\". So when running standalone on port 8080, check whether an HTTP GET request on localhost:8080/rmi returns 404 (not enabled) or 200 (enabled). Note that the HTTP path may be different when the webapp is deployed in a container as non-root context, in which case the prefix is under the user's control.\n\nTurning off RMIFind web.xml (either in JAR/WAR file or in unpacked web application folder), and remove the declaration and the mapping definition for the RemoteBindingServlet:\n\n        <servlet>\n            <servlet-name>RMI</servlet-name>\n            <servlet-class>org.apache.jackrabbit.servlet.remote.RemoteBindingServlet</servlet-class>\n        </servlet>\n\n        <servlet-mapping>\n            <servlet-name>RMI</servlet-name>\n            <url-pattern>/rmi</url-pattern>\n        </servlet-mapping>\n\nFind the bootstrap.properties file (in $REPOSITORY_HOME), and set\n\n         rmi.enabled=false\n\n    and also remove\n\n         rmi.host\n         rmi.port\n         rmi.url-pattern\n\n If there is no file named bootstrap.properties in $REPOSITORY_HOME, it is located somewhere in the classpath. In this case, place a copy in $REPOSITORY_HOME and modify it as explained.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37895","reference_id":"","reference_type":"","scores":[{"value":"0.10007","scoring_system":"epss","scoring_elements":"0.93221","published_at":"2026-06-11T12:55:00Z"},{"value":"0.10007","scoring_system":"epss","scoring_elements":"0.93243","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37895"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37895","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37895"},{"reference_url":"https://github.com/apache/jackrabbit","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/jackrabbit"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37895","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37895"},{"reference_url":"http://seclists.org/fulldisclosure/2023/Jul/43","reference_id":"43","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/"}],"url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/07/25/8","reference_id":"8","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/07/25/8"},{"reference_url":"https://github.com/advisories/GHSA-q8cm-3v62-jj79","reference_id":"GHSA-q8cm-3v62-jj79","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q8cm-3v62-jj79"},{"reference_url":"https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw","reference_id":"j03b3qdhborc2jrhdc4d765d3jkh8bfw","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/"}],"url":"https://lists.apache.org/thread/j03b3qdhborc2jrhdc4d765d3jkh8bfw"},{"reference_url":"https://lists.apache.org/list.html?users@jackrabbit.apache.org","reference_id":"list.html?users@jackrabbit.apache.org","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-02T19:25:04Z/"}],"url":"https://lists.apache.org/list.html?users@jackrabbit.apache.org"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/393968?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.20.11","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.20.11"},{"url":"http://public2.vulnerablecode.io/api/packages/393969?format=json","purl":"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.21.18","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.21.18"}],"aliases":["CVE-2023-37895","GHSA-q8cm-3v62-jj79"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ntd8-dnvq-cqa8"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.jackrabbit/jackrabbit-webdav@2.4.5"}