Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary executi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

From: Andrii Berezovskyi <andriib@xxxxxx>
Date: Thu, 27 Apr 2023 08:49:19 +0000
Accept-language: en-GB, en-US, sv-SE
Delivered-to: lyo-dev@xxxxxxxxxxx
Dkim-filter: OpenDKIM Filter v2.11.0 smtp-relay-2.sys.kth.se 4Q6Ttl5dNJzPR45
List-archive: <https://www.eclipse.org/mailman/private/lyo-dev/>
List-help: <mailto:lyo-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHZeOS0h6fUvnWv60Od7ZDan6S3Ba8+2Ib6
Thread-topic: CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

I made a typo: “all” should have been “allow”. You are at risk if direct/arbitrary SPARQL queries are allowed.

–Andrew

27 apr. 2023 kl. 10:46 skrev Andrii Berezovskyi <andriib@xxxxxx>:

Hi,

https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s announces quite a severe CVE. It shouldn’t affect you if you use Lyo to process OSLC Query statements and convert them to prepared SPARQL statements and instead all SPARQL queries to be submitted directly.

–Andrew

References:
- [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
  - From: Andrii Berezovskyi

Prev by Date: Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
Next by Date: Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
Previous by thread: Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
Index(es):
- Date
- Thread

Breadcrumbs