CVE-2023-22665
N/A
N/A
Summary
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Apache Software Foundation | Apache Jena | 0 <= 4.7.0 | affected |
Weaknesses
- CWE-917: CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Workarounds
Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment.
ADP Enrichment
CVE Program Container
Additional References
- https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
- http://www.openwall.com/lists/oss-security/2023/07/11/11
References
- https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
- http://www.openwall.com/lists/oss-security/2023/07/11/11
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.