Skip to content

High CVE issues reported in owlready2 bundled Jena JARs #54

Description

@prasadayush

🔴 High Severity: XXE Vulnerability in Apache Jena (CVE-2021-39239)

Summary

A high-severity XML External Entity (XXE) injection vulnerability has been identified in Apache Jena affecting the jena-arq and jena-core packages. This vulnerability could allow a network attacker to read local files or perform server-side request forgery (SSRF).


Affected Packages

Package CVE ID Severity
org.apache.jena:jena-arq CVE-2021-39239 🔴 High
org.apache.jena:jena-core CVE-2021-39239 🔴 High

Affected versions: Apache Jena ≤ 4.1.0


Vulnerability Details

Type: XML External Entity (XXE) Injection
Attack Vector: Network
Attack Complexity: Low
Fix Available: Yes

The vulnerability exists in XML processing within Apache Jena. An attacker can exploit this to execute XML External Entities, which may result in:

  • Exposure of local file contents to a remote server
  • Potential server-side request forgery (SSRF)
  • Information disclosure of sensitive system files

References:


Recommended Fix

Upgrade Apache Jena to version 4.2.0 or later, which contains the fix for this vulnerability.

<!-- Maven -->
<dependency>
  <groupId>org.apache.jena</groupId>
  <artifactId>apache-jena-libs</artifactId>
  <version>4.2.0</version> <!-- or latest -->
  <type>pom</type>
</dependency>

Action Items

  • Upgrade jena-arq to a version > 4.1.0
  • Upgrade jena-core to a version > 4.1.0
  • What is the expected ETA for the fix and patch release?

Reported by dependency vulnerability scan. Fix is available — please prioritize accordingly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions