CVE-2023-32200: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

July 12, 2023 (updated July 20, 2023)

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0.

References

lists.apache.org/thread/7hg0t2kws3fyr75dl7lll8389xzzc46z
nvd.nist.gov/vuln/detail/CVE-2023-32200
www.cve.org/CVERecord?id=CVE-2023-22665

Code Behaviors & Features

Detect and mitigate CVE-2023-32200 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →