Colm,
I don't know where github gets the package information. It's not in the CVE.
Do you know how the github advisories are produced?
As maven artifacts:
org.apache.jena:jena is the source release.
org.apache.jena:jena-fuseki is the parent POM for Fuseki.
Not sure where jena-core comes in. The issues are not in jena-core.
jena-core is just one jar that makes up a release. jena-core on its own
doesn't do much and it's RDF readers are just enough to make the tests work.
The project makes one release per version with all the binaries - the
source release includes source for everything. No distinction between
library use or a Fuseki server.
Both CVEs are related to Fuseki functionality but running a mixture of
jars from different versions is not supported nor tested.
org.apache.jena:apache-jena-libs is the POM that brings in the jars for
general library use.
org.apache.jena:apache-jena-fuseki is the usual Fuseki download zip.
org.apache.jena:jena-fuseki-server is the shaded jar.
Andy
On 17/12/2025 12:09, Colm O hEigeartaigh wrote:
Hi,
Looking at https://jena.apache.org/security/advisories.html both recent CVEs
refer to Jena Fuseki:
- CVE-2025-50151 affects Jena Fuseki in versions up to 5.4.0.
- CVE-2025-49656 affects Jena Fuseki in versions up to 5.4.0.
The GitHub Advisory DB for the latter
(https://github.com/advisories/GHSA-jq2c-m8gg-mqcm) references
org.apache.jena:jena-fuseki as the impacted package. However for the first CVE
it references (https://github.com/advisories/GHSA-xg9p-p463-3qjp)
org.apache.jena:jena.
This is leading to tools like Trivy finding no vulnerability in jena-core, as
the advisory is only matched against the Jena jar. I'm not sure if it should
match against only jena-fuseki or all Jena jars.
Please review what are the impacted packages are for both CVEs.
Thanks,
Colm.
