Name of the Vulnerable Software and Affected Versions:

Apache Jackrabbit Core versions 1.0.0 through 2.22.1

Apache Jackrabbit JCR Commons versions 1.0.0 through 2.22.1

Description:

This issue involves the deserialization of untrusted data in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. Deployments accepting JNDI URIs for JCR lookup from untrusted users are susceptible to malicious JNDI reference injection, potentially leading to arbitrary code execution.

Recommendations:

Upgrade Apache Jackrabbit Core to version 2.22.2.

Upgrade Apache Jackrabbit JCR Commons to version 2.22.2.

In version 2.22.2 and later, JCR lookup through JNDI is disabled by default. If this feature is required, enable it explicitly and carefully review the use of JNDI URIs for JCR lookup.