CVE-2022-28890

CWE-611XML External Entity (XXE)6 documents5 sources
Severity
9.8CRITICAL
EPSS
0.5%
top 34.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache JenaApache Jena
Timeline
PublishedMay 5
Latest updateMay 6

Description

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

Mavenorg.apache.jena:jena4.4.04.5.0
Debianapache-jena< 4.5.0-1+2
CVEListV5apache_software_foundation/apache_jenaApache Jena4.4.0
NVDapache/jena4.4.0

🔴Vulnerability Details

4
GHSA
XML External Entity Reference in apache jena2022-05-06
OSV
XML External Entity Reference in apache jena2022-05-06
CVEList
Processing external DTDs2022-05-05
OSV
CVE-2022-28890: A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved2022-05-05

📋Vendor Advisories

1
Debian
CVE-2022-28890: apache-jena - A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause...2022
CVE-2022-28890 (CRITICAL CVSS 9.8) | A vulnerability in the RDF/XML pars | cvebase.io