CVE-2022-28890

EPSS 0.6%
Published 05.05.2022 09:15:08
Last modified 21.11.2024 06:58:08
Source security@apache.org
Teams watchlist Login
Open Login

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Jena Version4.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.6%	0.685

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-28890

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-28890

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-28890

EUVD