UBUNTU-CVE-2025-58782

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-58782

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-58782.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-58782

Upstream

CVE-2025-58782

Published

2025-09-08T09:15:00Z

Modified

2025-10-24T05:23:36Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

References

Affected packages

Ubuntu:14.04:LTS

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.3.6-1+deb8u2build0.14.04.1?arch=source&distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.6-1

2.3.6-1+deb8u1build0.14.04.1

2.3.6-1+deb8u2build0.14.04.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.3.6-1+deb8u2build0.14.04.1"
        }
    ]
}

Ubuntu:16.04:LTS

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.10.1-2?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10.1-1

2.10.1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.10.1-2"
        }
    ]
}

Ubuntu:18.04:LTS

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.14.4-1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.12.6-1

2.14.4-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.14.4-1"
        }
    ]
}

Ubuntu:20.04:LTS

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.18.0+r2.14.6-1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.18.0+r2.14.6-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.18.0+r2.14.6-1"
        }
    ]
}

Ubuntu:22.04:LTS

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.20.3-1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.18.0+r2.14.6-1

2.20.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.20.3-1"
        }
    ]
}

Ubuntu:24.04:LTS

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.20.11-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.20.11-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.20.11-1"
        }
    ]
}

Ubuntu:25.04

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.20.11-1?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.20.11-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.20.11-1"
        }
    ]
}

Ubuntu:25.10

jackrabbit

Package

Name: jackrabbit
Purl: pkg:deb/ubuntu/jackrabbit@2.20.11-1.1?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.20.11-1

2.20.11-1.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "libjackrabbit-java",
            "binary_version": "2.20.11-1.1"
        }
    ]
}