Re: CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

Andy Seaborne Tue, 25 Apr 2023 00:02:27 -0700

It is addressed in 4.8.0

Custom Javascript execution checking:
  Use of javascript or Python to write custom functions
  now requires system property -Djena:scripting=true


so the deployment has to explicitly enable scripting access.

Note that for Java17 and later then there isn't a JS script engine inthe JRE unless the deployment adds it.


    Andy

On 24/04/2023 20:06, Marco Neumann wrote:

Is that already fixed in 4.8.0 or applies to Apache Jena versions 4.7.0+?

Marco

On Mon, Apr 24, 2023 at 8:03 PM Andy Seaborne <[email protected]> wrote:

Severity: important

Description:

There is insufficient checking of user queries in Apache Jena versions
4.7.0 and earlier, when invoking custom scripts. It allows a remote user to
execute arbitrary javascript via a SPARQL query.

Credit:

L3yx of Syclover Security Team (reporter)

References:

https://jena.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-22665

Re: CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

Reply via email to