CVE-2022-28890

EPSS 0.6%
Veröffentlicht 05.05.2022 09:15:08
Zuletzt bearbeitet 21.11.2024 06:58:08
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Jena Version4.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.6%	0.685

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-28890

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28890

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28890

EUVD