CVE-2022-45136

CRITICAL 9.8

Apache Jena SDB allows arbitrary deserialisation via JDBC

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2.

CWE	CWE-502
Vendor	apache software foundation
Product	apache jena sdb
Published	Nov 14, 2022
Last Updated	Aug 3, 2024

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache jena sdb

Be the first to know when new critical vulnerabilities affecting apache software foundation apache jena sdb are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache Jena SDB

unspecified ≤ 3.17.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/mc77cdl5stgjtjoldk467gdf756qjt31 openwall.com: http://www.openwall.com/lists/oss-security/2022/11/14/5

Credits

Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue