Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

Yes, Jad, it does, but the query shape is predefined and we use prepared statements to fill in the template queries to avoid injections. I will check the code again today briefly.

–Andrew

27 apr. 2023 kl. 10:49 skrev Jad El-Khoury <jad@xxxxxx>:



Andrii

 

Doesn’t LyoStore submit SPARQL queries?

 

Jad

 

 

From: lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> On Behalf Of Andrii Berezovskyi
Sent: Thursday, 27 April 2023 10:46
To: lyo-dev@xxxxxxxxxxx
Subject: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

 

Hi,

 

https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s announces quite a severe CVE. It shouldn’t affect you if you use Lyo to process OSLC Query statements and convert them to prepared SPARQL statements and instead all SPARQL queries to be submitted directly.

–Andrew

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/lyo-dev

Back to the top