CVE-2012-3353: Exposure of Sensitive Information to an Unauthorized Actor

May 14, 2022 (updated August 29, 2023)

The Apache Sling JCR ContentLoader 2.1.4 XmlReader used in the Sling JCR content loader module makes it possible to import arbitrary files in the content repository, including local files, causing potential information leaks. Users should upgrade to version 2.1.6 of the JCR ContentLoader

References

github.com/advisories/GHSA-wjp3-4xcq-598p
issues.apache.org/jira/browse/SLING-2512
lists.apache.org/thread/owd2xw86l19dh1f1zlhq41l7wlnd16sk
nvd.nist.gov/vuln/detail/CVE-2012-3353

Code Behaviors & Features

Detect and mitigate CVE-2012-3353 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →