We use cookies to improve your experience on our site.
AVID-2026-R1179
Description
Apache Jena: Exposure of arbitrary execution in script engine expressions. (CVE-2023-22665)
Details
There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.
Reason for inclusion in AVID: CVE-2023-22665 describes remote code execution via SPARQL expressions in Apache Jena due to insufficient input checking. While not AI-specific, Apache Jena is a general-purpose data/knowledge graph framework that can be used as a dependency in AI/data pipelines and knowledge-graph components within AI systems. Therefore, this vulnerability can impact the software supply chain of general-purpose AI systems if Jena is used in their data handling/knowledge components. The report provides explicit CVE details, affected versions, and the nature of the vulnerability, supporting its classification as a security vulnerability in a software component used in AI stacks.
References
- NVD entry
- https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
- http://www.openwall.com/lists/oss-security/2023/07/11/11
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Jena |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-917 | CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-04-25
- Version: 0.3.3
- AVID Entry