Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nMnF3LTZ2cnItdjZwcc4AAv2u
Apache Jena vulnerable to Deserialization of Untrusted Data
** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2.
Permalink: https://github.com/advisories/GHSA-g2qw-6vrr-v6pqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nMnF3LTZ2cnItdjZwcc4AAv2u
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 10 months ago
Updated: 8 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-g2qw-6vrr-v6pq, CVE-2022-45136
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-45136
- https://lists.apache.org/thread/mc77cdl5stgjtjoldk467gdf756qjt31
- http://www.openwall.com/lists/oss-security/2022/11/14/5
- https://github.com/advisories/GHSA-g2qw-6vrr-v6pq
Affected Packages
maven:org.apache.jena:jena-sdb
Versions: >= 0.0.0No known fixed version