===================================================================                               CERT-Renater

                   Note d'Information No. 2023/VULN180

_____________________________________________________________________

DATE                : 28/04/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Jena (Maven) versions
                                    prior to 4.8.0.

====================================================================https://github.com/advisories/GHSA-xgh5-gwq5-rpx8
_____________________________________________________________________

Arbitrary javascript injection in Apache Jena
High severity GitHub Reviewed Published Apr 25, 2023 to the GitHub
Advisory Database • Updated Apr 25, 2023


Vulnerability details

Package
org.apache.jena:jena (Maven)

Affected versions
< 4.8.0

Patched versions
4.8.0


Description

There is insufficient checking of user queries in Apache Jena
versions 4.7.0 and earlier, when invoking custom scripts. It allows
a remote user to execute arbitrary javascript via a SPARQL query.


References

     https://nvd.nist.gov/vuln/detail/CVE-2023-22665
     https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s


Published to the GitHub Advisory Database Apr 25, 2023
Last updated Apr 25, 2023
Reviewed Apr 25, 2023

Severity
High

Weaknesses
CWE-917

CVE ID
CVE-2023-22665

GHSA ID
GHSA-xgh5-gwq5-rpx8

Source code
apache/jena


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================