Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nY2h2LTM2NGgtcjg5Ns3jtg
XML External Entity Reference in apache jena
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 only. Apache Jena 4.2.x and 4.3.x do not allow external entities.
Permalink: https://github.com/advisories/GHSA-gchv-364h-r896JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nY2h2LTM2NGgtcjg5Ns3jtg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 7 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-gchv-364h-r896, CVE-2022-28890
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-28890
- https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878
- https://jena.apache.org/about_jena/security-advisories.html#cve-2022-28890---processing-external-dtds
- https://github.com/advisories/GHSA-gchv-364h-r896
Affected Packages
maven:org.apache.jena:jena
Dependent packages: 7Dependent repositories: 66
Downloads:
Affected Version Ranges: = 4.4.0
Fixed in: 4.5.0
All affected versions: 4.4.0
All unaffected versions: 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 2.11.2, 2.12.0, 2.12.1, 2.13.0, 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.13.1, 3.14.0, 3.15.0, 3.16.0, 3.17.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.5.0, 4.6.0, 4.6.1, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 5.0.0