DEBIAN-CVE-2025-58782

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-58782
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-58782.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-58782
Upstream
Published
2025-09-08T09:15:30Z
Modified
2025-10-14T04:26:09.694272Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

References

Affected packages

Debian:11 / jackrabbit

Package

Name
jackrabbit
Purl
pkg:deb/debian/jackrabbit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.18.0+r2.14.6-1
2.20.3-1
2.20.11-1
2.20.11-1.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / jackrabbit

Package

Name
jackrabbit
Purl
pkg:deb/debian/jackrabbit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.20.3-1
2.20.11-1
2.20.11-1.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / jackrabbit

Package

Name
jackrabbit
Purl
pkg:deb/debian/jackrabbit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.20.11-1.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / jackrabbit

Package

Name
jackrabbit
Purl
pkg:deb/debian/jackrabbit?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.20.11-1.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}