{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2023-22665","assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","state":"PUBLISHED","assignerShortName":"apache","dateReserved":"2023-01-05T14:41:04.515Z","datePublished":"2023-04-25T06:44:21.516Z","dateUpdated":"2025-02-13T16:44:03.940Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Apache Jena","vendor":"Apache Software Foundation","versions":[{"lessThanOrEqual":"4.7.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"reporter","value":"L3yx of Syclover Security Team"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."}],"value":"There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query."}],"metrics":[{"other":{"content":{"text":"important"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-917","description":"CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2023-07-11T20:06:23.134Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/11/11"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Jena: Exposure of arbitrary execution in script engine expressions.","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."}],"value":"Users not using custom scripted functions are advised to run Java17 or later with no script engine added to the deployment."}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T10:13:49.886Z"},"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_transferred"],"url":"https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s"},{"url":"http://www.openwall.com/lists/oss-security/2023/07/11/11","tags":["x_transferred"]}]}]}}