🔴 High Severity: XXE Vulnerability in Apache Jena (CVE-2021-39239)
Summary
A high-severity XML External Entity (XXE) injection vulnerability has been identified in Apache Jena affecting the jena-arq and jena-core packages. This vulnerability could allow a network attacker to read local files or perform server-side request forgery (SSRF).
Affected Packages
Affected versions: Apache Jena ≤ 4.1.0
Vulnerability Details
Type: XML External Entity (XXE) Injection
Attack Vector: Network
Attack Complexity: Low
Fix Available: Yes
The vulnerability exists in XML processing within Apache Jena. An attacker can exploit this to execute XML External Entities, which may result in:
- Exposure of local file contents to a remote server
- Potential server-side request forgery (SSRF)
- Information disclosure of sensitive system files
References:
Recommended Fix
Upgrade Apache Jena to version 4.2.0 or later, which contains the fix for this vulnerability.
<!-- Maven -->
<dependency>
<groupId>org.apache.jena</groupId>
<artifactId>apache-jena-libs</artifactId>
<version>4.2.0</version> <!-- or latest -->
<type>pom</type>
</dependency>
Action Items
Reported by dependency vulnerability scan. Fix is available — please prioritize accordingly.
🔴 High Severity: XXE Vulnerability in Apache Jena (CVE-2021-39239)
Summary
A high-severity XML External Entity (XXE) injection vulnerability has been identified in Apache Jena affecting the
jena-arqandjena-corepackages. This vulnerability could allow a network attacker to read local files or perform server-side request forgery (SSRF).Affected Packages
org.apache.jena:jena-arqorg.apache.jena:jena-coreAffected versions: Apache Jena ≤ 4.1.0
Vulnerability Details
Type: XML External Entity (XXE) Injection
Attack Vector: Network
Attack Complexity: Low
Fix Available: Yes
The vulnerability exists in XML processing within Apache Jena. An attacker can exploit this to execute XML External Entities, which may result in:
References:
Recommended Fix
Upgrade Apache Jena to version 4.2.0 or later, which contains the fix for this vulnerability.
Action Items
jena-arqto a version > 4.1.0jena-coreto a version > 4.1.0Reported by dependency vulnerability scan. Fix is available — please prioritize accordingly.