CVE-2023-32200

CWE-9176 documents5 sources

Severity

8.8HIGH

EPSS

0.9%

top 23.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Jena Apache Jena

Timeline

PublishedJul 12

Description

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Mavenorg.apache.jena:jena3.7.0 — 4.9.0

▶Debianapache-jena< 4.9.0-1+1

▶NVDapache/jena3.7.0 — 4.8.0

▶CVEListV5apache_software_foundation/apache_jena3.7.0 — 4.8.0

🔴Vulnerability Details

CVEList

Apache Jena: Exposure of execution in script engine expressions.↗2023-07-12

▶

OSV

Apache Jena Expression Language Injection vulnerability↗2023-07-12

▶

GHSA

Apache Jena Expression Language Injection vulnerability↗2023-07-12

▶

OSV

CVE-2023-32200: There is insufficient restrictions of called script functions in Apache Jena versions 4↗2023-07-12

▶

📋Vendor Advisories

Debian

CVE-2023-32200: apache-jena - There is insufficient restrictions of called script functions in Apache Jena ve...↗2023

▶