PT-2021-4202 · Apache · Apache Jena

Andy Seaborne

Published

2021-09-16

Updated

2021-10-06

CVE-2021-39239

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Apache Jena versions up to 4.1.0

Description A vulnerability in XML processing may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server. The issue is related to incorrect restriction of XML links to external objects, which can be exploited by a remote attacker to disclose protected information.

Recommendations For versions up to 4.1.0, update to a version later than 4.1.0 to resolve the issue. As a temporary workaround, consider restricting XML processing to minimize the risk of exploitation. Avoid using XML External Entities (XXE) in XML processing until the issue is resolved.

Fix

XXE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-611

Related Identifiers

BDU:2021-04799

CVE-2021-39239

GHSA-7RP6-W7MG-H8RW

Affected Products

Apache Jena

PT-2021-4202 · Apache · Apache Jena

CVE-2021-39239

Weakness Enumeration

Related Identifiers

Affected Products

References · 23