GSA_kwCzR0hTQS14ZzlwLXA0NjMtM3FqcM4ABKVB

High EPSS: 0.0007% (0.22022 Percentile) EPSS:

Permalink JSON

Apache Jena doesn't validate file access paths in configuration files uploaded by users with administrator access

Affected Packages	Affected Versions	Fixed Versions
maven:org.apache.jena:jena	< 5.5.0	5.5.0
7 Dependent packages 66 Dependent repositories Affected Version Ranges All affected versions 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.13.1, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0 All unaffected versions

File access paths in configuration files uploaded by users with administrator access are not validated.

This issue affects Apache Jena version up to 5.4.0.

Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.

References: