Version 2.10.1 of Apache Jackrabbit fixes XXE/XEE issue in the jackrabbit-webdav module. Part of original advisory: """ When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others (for instance, by inserting said content in a WebDAV property value using a PROPPATCH request). See also IETF RFC 4918, Section 20.6. """ Original report: http://seclists.org/bugtraq/2015/May/124 Upstream bug with patches: https://issues.apache.org/jira/browse/JCR-3883
Created jackrabbit tracking bugs for this issue: Affects: fedora-all [bug 1223885]
Camel doesn't have a webdav server. It has some webdav client libraries, such as commons-vfs, and camel-hadoop, but not a server.
Jackrabbit is not shipped in Fuse Service Works.
jackrabbit-webdav package removed in Fedora 22
None of our middleware product suite host a WebDav Server using Jackrabbit. Closing as NOTABUG