Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary executi

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

From: Jad El-Khoury <jad@xxxxxx>
Date: Thu, 27 Apr 2023 08:56:33 +0000
Accept-language: en-GB, sv-SE, en-US
Delivered-to: lyo-dev@xxxxxxxxxxx
Dkim-filter: OpenDKIM Filter v2.11.0 smtp-relay-3.sys.kth.se 4Q6V355XgFzPQFQ
List-archive: <https://www.eclipse.org/mailman/private/lyo-dev/>
List-help: <mailto:lyo-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/lyo-dev>, <mailto:lyo-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHZeOS0h6fUvnWv60Od7ZDan6S3Ba8+2ApwgAABm6aAAADeoA==
Thread-topic: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

Right!

From: lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> On Behalf Of Andrii Berezovskyi
Sent: Thursday, 27 April 2023 10:53
To: Lyo project developer discussions <lyo-dev@xxxxxxxxxxx>
Subject: Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

Yes, Jad, it does, but the query shape is predefined and we use prepared statements to fill in the template queries to avoid injections. I will check the code again today briefly.

–Andrew

27 apr. 2023 kl. 10:49 skrev Jad El-Khoury <jad@xxxxxx>:

Andrii

Doesn’t LyoStore submit SPARQL queries?

Jad

From: lyo-dev <lyo-dev-bounces@xxxxxxxxxxx> On Behalf Of Andrii Berezovskyi
Sent: Thursday, 27 April 2023 10:46
To: lyo-dev@xxxxxxxxxxx
Subject: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.

Hi,

https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s announces quite a severe CVE. It shouldn’t affect you if you use Lyo to process OSLC Query statements and convert them to prepared SPARQL statements and instead all SPARQL queries to be submitted directly.

–Andrew

_______________________________________________
lyo-dev mailing list
lyo-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/lyo-dev

References:
- [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
  - From: Andrii Berezovskyi
- Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
  - From: Jad El-Khoury
- Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
  - From: Andrii Berezovskyi

Prev by Date: Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
Next by Date: [lyo-dev] [ANN] prerelease versions of Lyo 5.1.0 and 5.0.1
Previous by thread: Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
Next by thread: Re: [lyo-dev] CVE-2023-22665: Apache Jena: Exposure of arbitrary execution in script engine expressions.
Index(es):
- Date
- Thread

Breadcrumbs