CVE-2023-22665 — Expression Language Injection in Software Foundation Apache Jena

CWE-917 — Expression Language Injection6 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

1.0%

top 22.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Jena Apache Jena

Timeline

PublishedApr 25

Description

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/jena3.7.0 — 4.8.0

▶CVEListV5apache_software_foundation/apache_jena4.7.0

🔴Vulnerability Details

GHSA

Arbitrary javascript injection in Apache Jena↗2023-04-25

▶

CVEList

Apache Jena: Exposure of arbitrary execution in script engine expressions.↗2023-04-25

▶

OSV

CVE-2023-22665: There is insufficient checking of user queries in Apache Jena versions 4↗2023-04-25

▶

OSV

Arbitrary javascript injection in Apache Jena↗2023-04-25

▶

📋Vendor Advisories

Debian

CVE-2023-22665: apache-jena - There is insufficient checking of user queries in Apache Jena versions 4.7.0 and...↗2023

▶