Remote Code Execution (RCE)

2023-07-2607:59:10

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

jackrabbit-standalone-components

jackrabbit-webapp

commons-beanutils

remote code execution

malicious code

rmi

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.087 Low

EPSS

Percentile

94.6%

JSON

org.apache.jackrabbit:jackrabbit-standalone, jackrabbit-standalone-components and jackrabbit-webapp are vulnerable to Remote Code Execution (RCE). Use of the component commons-beanutils, which contains a class that can be used for remote code execution over RMI, allows an attacker to upload and execute malicious code on the system.

CPENameOperatorVersion
jackrabbit standalonele1.6.5
jackrabbit web applicationle2.20.10
jackrabbit web applicationle2.21.17
jackrabbit standalone componentsle2.20.10
jackrabbit standalone componentsle2.21.17
jackrabbit standalonele1.6.5
jackrabbit web applicationle2.20.10
jackrabbit web applicationle2.21.17
jackrabbit standalone componentsle2.20.10
jackrabbit standalone componentsle2.21.17

Name	Operator	Version
jackrabbit standalone	le	1.6.5
jackrabbit web application	le	2.20.10
jackrabbit web application	le	2.21.17
jackrabbit standalone components	le	2.20.10
jackrabbit standalone components	le	2.21.17
jackrabbit standalone	le	1.6.5
jackrabbit web application	le	2.20.10
jackrabbit web application	le	2.21.17
jackrabbit standalone components	le	2.20.10
jackrabbit standalone components	le	2.21.17