Open mend-for-github-com[bot] opened 1 year ago
ARQ is a SPARQL 1.1 query engine for Apache Jena
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/jena/jena-arq/3.12.0/jena-arq-3.12.0.jar
Dependency Hierarchy: - spdx-tools-2.2.1.jar (Root Library) - apache-jena-libs-3.12.0.pom - jena-tdb-3.12.0.jar - :x: **jena-arq-3.12.0.jar** (Vulnerable Library)
Found in HEAD commit: 4f8aa11da0ed37014d8a671a962840fe2230111e
Found in base branch: master
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
Publish Date: 2023-04-25
URL: CVE-2023-22665
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
Type: Upgrade version
Origin: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
Release Date: 2023-04-25
Fix Resolution (org.apache.jena:jena-arq): 4.8.0
Direct dependency fix Resolution (org.spdx:spdx-tools): 2.2.2
CVE-2023-22665 - Medium Severity Vulnerability
Vulnerable Library - jena-arq-3.12.0.jar
ARQ is a SPARQL 1.1 query engine for Apache Jena
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/jena/jena-arq/3.12.0/jena-arq-3.12.0.jar
Dependency Hierarchy: - spdx-tools-2.2.1.jar (Root Library) - apache-jena-libs-3.12.0.pom - jena-tdb-3.12.0.jar - :x: **jena-arq-3.12.0.jar** (Vulnerable Library)
Found in HEAD commit: 4f8aa11da0ed37014d8a671a962840fe2230111e
Found in base branch: master
Vulnerability Details
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
Publish Date: 2023-04-25
URL: CVE-2023-22665
CVSS 3 Score Details (5.4)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
Release Date: 2023-04-25
Fix Resolution (org.apache.jena:jena-arq): 4.8.0
Direct dependency fix Resolution (org.spdx:spdx-tools): 2.2.2