CVE-2023-32200 - OpenCVE

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Jena

Configuration 1 [-]

cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z
https://www.cve.org/CVERecord?id=CVE-2023-22665

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-07-12T07:49:55.432Z

Updated: 2024-08-02T15:10:23.901Z

Reserved: 2023-05-04T12:49:34.610Z

Link: CVE-2023-32200

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-12T08:15:10.070

Modified: 2023-07-20T01:05:41.153

Link: CVE-2023-32200

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32200", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-05-04T12:49:34.610Z", "datePublished": "2023-07-12T07:49:55.432Z", "dateUpdated": "2024-08-02T15:10:23.901Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Jena", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.8.0", "status": "affected", "version": "3.7.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "s3gundo of Alibaba"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.<br><p>This issue affects Apache Jena: from 3.7.0 through 4.8.0.</p>"}], "value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\nThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-917", "description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-07-12T07:49:55.432Z"}, "references": [{"tags": ["related"], "url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Jena: Exposure of execution in script engine expressions.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:10:23.901Z"}, "title": "CVE Program Container", "references": [{"tags": ["related", "x_transferred"], "url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"}]}]}}