CVE-2023-22665

Summary

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Jena0 <= 4.7.0affected

Weaknesses

  • CWE-917: CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

Workarounds

Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment.

ADP Enrichment

CVE Program Container

Additional References

References