PT-2023-18612 · Apache+1 · Apache Jena+1
L3Yx
·
Published
2023-04-25
·
Updated
2024-01-21
·
CVE-2023-22665
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Jena versions 3.7.0 through 4.8.0
Description
The issue is related to insufficient checking of user queries and restrictions of called script functions in Apache Jena, allowing a remote user to execute arbitrary javascript via a SPARQL query.
Recommendations
For Apache Jena versions 3.7.0 through 4.8.0, consider disabling custom script invocation until a patch is available to prevent the execution of arbitrary javascript.
Restrict access to SPARQL query endpoints to minimize the risk of exploitation.
Avoid using custom scripts in Apache Jena until the issue is resolved.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Jena
Debian