hugh-mend / Java-Demo-Log4J

Apache License 2.0
0 stars 0 forks source link

CVE-2023-22665 (Medium) detected in jena-arq-3.12.0.jar #196

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago

CVE-2023-22665 - Medium Severity Vulnerability

Vulnerable Library - jena-arq-3.12.0.jar

ARQ is a SPARQL 1.1 query engine for Apache Jena

Library home page: https://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/jena/jena-arq/3.12.0/jena-arq-3.12.0.jar

Dependency Hierarchy: - spdx-tools-2.2.1.jar (Root Library) - apache-jena-libs-3.12.0.pom - jena-tdb-3.12.0.jar - :x: **jena-arq-3.12.0.jar** (Vulnerable Library)

Found in HEAD commit: 4f8aa11da0ed37014d8a671a962840fe2230111e

Found in base branch: master

Vulnerability Details

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

Publish Date: 2023-04-25

URL: CVE-2023-22665

CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s

Release Date: 2023-04-25

Fix Resolution (org.apache.jena:jena-arq): 4.8.0

Direct dependency fix Resolution (org.spdx:spdx-tools): 2.2.2