On 31/05/2023 17:17, Brandon Sara wrote:
With CVE-2023-22665, what is the risk of using Fuseki pre-4.8.0 that does not
have custom scripts configured in any configurations? Is there only a risk if
custom scripts are set up to be used by Fuseki or is there a risk regardless of
configuration?
Thanks.
Java17 does not have javascript engine, unless the deployment adds one.
So running on a Java17 means that scripts can't execute.
The issue is Java11, where there is a script engine in the JVM runtime.
Andy
https://openjdk.org/jeps/372
Nashorn removed at Java15.
