All the vulnerabilites related to Apache Software Foundation - Apache Jena
cve-2022-28890
Vulnerability from cvelistv5
Published
2022-05-05 08:40
Modified
2024-08-03 06:10
Severity ?
EPSS score ?
Summary
Processing external DTDs
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878 | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Jena |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:10:56.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.4.0",
"status": "affected",
"version": "Apache Jena",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Apache Jena would like to thank Feras Daragma, Avishag Shapira \u0026 Amit Laish (GE Digital, Cyber Security Lab) for their report."
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities."
}
],
"metrics": [
{
"other": {
"content": {
"other": "medium"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External DTD vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T08:40:09",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Processing external DTDs",
"workarounds": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.5.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-28890",
"STATE": "PUBLIC",
"TITLE": "Processing external DTDs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Jena",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Jena",
"version_value": "4.4.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Apache Jena would like to thank Feras Daragma, Avishag Shapira \u0026 Amit Laish (GE Digital, Cyber Security Lab) for their report."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "medium"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External DTD vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.5.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-28890",
"datePublished": "2022-05-05T08:40:09",
"dateReserved": "2022-04-09T00:00:00",
"dateUpdated": "2024-08-03T06:10:56.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-22665
Vulnerability from cvelistv5
Published
2023-04-25 06:44
Modified
2025-02-13 16:44
Severity ?
EPSS score ?
Summary
Apache Jena: Exposure of arbitrary execution in script engine expressions.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Jena |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:49.886Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "L3yx of Syclover Security Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."
}
],
"value": "There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-11T20:06:23.134Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/07/11/11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jena: Exposure of arbitrary execution in script engine expressions.",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."
}
],
"value": "Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-22665",
"datePublished": "2023-04-25T06:44:21.516Z",
"dateReserved": "2023-01-05T14:41:04.515Z",
"dateUpdated": "2025-02-13T16:44:03.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-39239
Vulnerability from cvelistv5
Published
2021-09-16 14:40
Modified
2024-08-04 02:06
Severity ?
EPSS score ?
Summary
XML External Entity (XXE) vulnerability
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Jena |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:06:40.799Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.1.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML External Entity (XXE) vulnerability",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T09:06:18",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45%40%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d%40%3Cdev.jena.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XML External Entity (XXE) vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.2.0 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-39239",
"STATE": "PUBLIC",
"TITLE": "XML External Entity (XXE) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Jena",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "4.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML External Entity (XXE) vulnerability"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d%40%3Cusers.jena.apache.org%3E"
},
{
"name": "[announce] 20210916 CVE-2021-39239: Apache Jena: XML External Entity (XXE) vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf44d529c54ef1d0097e813f576a0823a727e1669a9f610d3221d493d@%3Cannounce.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 Re: CVE-2021-39239 notifications for Jena 4.2.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0f03ae7e102c3e8587fdd36531fc167309335738156dfbd7d9c1bf45@%3Cdev.jena.apache.org%3E"
},
{
"name": "[jena-dev] 20210921 CVE-2021-39239 notifications for Jena 4.2.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rce5241b228a1f0e5880f6b2bfdb7ae9ee420e94cb692738a0bbfed9d@%3Cdev.jena.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Users are advised to upgrade to Apache Jena 4.2.0 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-39239",
"datePublished": "2021-09-16T14:40:20",
"dateReserved": "2021-08-17T00:00:00",
"dateUpdated": "2024-08-04T02:06:40.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-32200
Vulnerability from cvelistv5
Published
2023-07-12 07:49
Modified
2024-10-07 19:42
Severity ?
EPSS score ?
Summary
Apache Jena: Exposure of execution in script engine expressions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.cve.org/CVERecord?id=CVE-2023-22665 | related | |
| https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Jena |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:10:23.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"related",
"x_transferred"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:jena:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "jena",
"vendor": "apache",
"versions": [
{
"lessThanOrEqual": "4.8.0",
"status": "affected",
"version": "3.7.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-32200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T19:41:36.847404Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T19:42:49.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "4.8.0",
"status": "affected",
"version": "3.7.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "s3gundo of Alibaba"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\u003c/p\u003e"
}
],
"value": "There is insufficient restrictions of called script functions in Apache Jena\n versions 4.8.0 and earlier. It allows a \nremote user to execute javascript via a SPARQL query.\nThis issue affects Apache Jena: from 3.7.0 through 4.8.0.\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T07:49:55.432Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"related"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22665"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Jena: Exposure of execution in script engine expressions.",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-32200",
"datePublished": "2023-07-12T07:49:55.432Z",
"dateReserved": "2023-05-04T12:49:34.610Z",
"dateUpdated": "2024-10-07T19:42:49.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-49656
Vulnerability from cvelistv5
Published
2025-07-21 09:30
Modified
2025-07-21 14:47
Severity ?
EPSS score ?
Summary
Apache Jena: Administrative users can create files outside the server directory space via the admin UI
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/qmm21som8zct813vx6dfd1phnfro6mwq | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Jena |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-49656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T14:46:28.661133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T14:47:08.462Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "5.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Noriaki Iwasaki; Cyber Defense Institute, Inc"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers with administrator access can create databases files outside the files area of the Fuseki server.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Jena version up to 5.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 5.5.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Users with administrator access can create databases files outside the files area of the Fuseki server.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T09:30:32.715Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/qmm21som8zct813vx6dfd1phnfro6mwq"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Jena: Administrative users can create files outside the server directory space via the admin UI",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-49656",
"datePublished": "2025-07-21T09:30:32.715Z",
"dateReserved": "2025-06-09T16:47:05.868Z",
"dateUpdated": "2025-07-21T14:47:08.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2025-50151
Vulnerability from cvelistv5
Published
2025-07-21 09:32
Modified
2025-07-21 14:41
Severity ?
EPSS score ?
Summary
Apache Jena: Configuration files uploaded by administrative users are not check properly
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread/12gks5z40gh9bszn1xk8mz34gz586xss | vendor-advisory |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Jena |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-50151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T14:40:14.417556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T14:41:06.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Jena",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "5.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eFile access paths in configuration files uploaded by users with administrator access are not validated.\u003c/div\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Apache Jena version up to 5.4.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.\u003c/p\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "File access paths in configuration files uploaded by users with administrator access are not validated.\n\nThis issue affects Apache Jena version up to 5.4.0.\n\nUsers are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T09:32:30.334Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/12gks5z40gh9bszn1xk8mz34gz586xss"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Jena: Configuration files uploaded by administrative users are not check properly",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-50151",
"datePublished": "2025-07-21T09:32:30.334Z",
"dateReserved": "2025-06-13T16:13:26.895Z",
"dateUpdated": "2025-07-21T14:41:06.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}