CVE-2023-25141

Name of the Vulnerable Software and Affected Versions Apache Sling JCR Base versions prior to 3.1.12

Description The issue is related to a critical injection vulnerability in Apache Sling JCR Base when running on old JDK versions, specifically JDK 1.8.191 or earlier. This vulnerability occurs through utility functions in RepositoryAccessor, particularly the getRepository and getRepositoryFromURL functions, which allow an application to access data stored in a remote location via JDNI and RMI.

Recommendations For Apache Sling JCR Base versions prior to 3.1.12, upgrade to Apache Sling JCR Base 3.1.12 or later. Alternatively, run Apache Sling JCR Base on a more recent JDK version to mitigate the issue.