Potentially yes, see https://issues.apache.org/jira/browse/JENA-1364
There is a known vulnerability in the Apache Xerces Library we use, unfortunately there has not been an official Xerces release for quite sometime (Feb 2013 was the last). There had been some apparent discussion at finally making a new release around the time that the issue was reported to us but it has unfortunately not materialised. The referenced JIRA issue describes end user workarounds which involve substituting an alternative build of that library For general guidelines on how to Report security issues to any Apache project please see https://www.apache.org/security/ Rob On 19/10/2017 16:13, "Roland Cornelissen" <[email protected]> wrote: Hi, Could it be that the Jena library causes an XXE vulnerabilty? [1] I am looking into this for a web application we are using and I'm not sure on how to report/question such issues. Thanks, Roland [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
