CVE-2023-22665: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

April 25, 2023 (updated January 21, 2024)

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

References

github.com/advisories/GHSA-xgh5-gwq5-rpx8
lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
nvd.nist.gov/vuln/detail/CVE-2023-22665

Detect and mitigate CVE-2023-22665 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →