Apache Jena: Exposure of execution in script engine expressions.
CVE-2023-32200

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Jena
Vendor: CVE Published:; 12 July 2023

Summary

A vulnerability exists in Apache Jena versions 4.8.0 and earlier due to insufficient restrictions applied to called script functions. This flaw could allow a remote attacker to execute arbitrary JavaScript code via a crafted SPARQL query, potentially compromising the integrity and security of the affected systems. Users and administrators of Apache Jena should take immediate measures to address this issue by applying the recommended updates and patches.

Affected Version(s)

Apache Jena 3.7.0 <= 4.8.0

References

https://www.cve.org/CVERecord?id=CVE-2023-22665

https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
May 4, 2023

Credit

s3gundo of Alibaba