CVE-2023-32200— Apache Jena: Exposure of execution in script engine expressions.
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-32200
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Jena: Exposure of execution in script engine expressions.
Source: NVD (National Vulnerability Database)
Vulnerability Description
There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query. This issue affects Apache Jena: from 3.7.0 through 4.8.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
表达式语言语句中使用的特殊元素转义处理不恰当(表达式语言注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Jena 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Jena是美国阿帕奇(Apache)基金会的一个Java语义网框架。用于构建语义Web和链接数据应用程序。 Apache Jena 存在安全漏洞,该漏洞源于对 called script 函数的限制不够。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Jena | 3.7.0 ~ 4.8.0 | - |
II. Public POCs for CVE-2023-32200
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-32200
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2023-07-12 · 13 CVEs total
| CVE-2023-30429 | 9.6 CRITICAL | Apache Pulsar: Incorrect Authorization for Function Worker when using mTLS Authentication |
| CVE-2023-37579 | 8.2 HIGH | Apache Pulsar Function Worker: Incorrect Authorization for Function Worker Can Leak Sink/S |
| CVE-2023-30428 | 8.2 HIGH | Apache Pulsar Broker: Incorrect Authorization Validation for Rest Producer |
| CVE-2022-42009 | 8.0 HIGH | Apache Ambari: A malicious authenticated user can remotely execute arbitrary code in the c |
| CVE-2022-45855 | 8.0 HIGH | Apache Ambari: Allows authenticated metrics consumers to perform RCE |
| CVE-2023-31007 | Apache Pulsar: Broker does not always disconnect client when authentication data expires | |
| CVE-2023-35908 | Apache Airflow: Access to DAGs without relevant permission | |
| CVE-2023-22887 | Apache Airflow path traversal by authenticated user | |
| CVE-2022-46651 | Apache Airflow: Security vulnerability on AirFlow Connections | |
| CVE-2023-36543 | Apache Airflow: ReDoS via dags function | |
| CVE-2023-22888 | Apache Airflow: Scheduler remote DoS | |
| CVE-2023-37582 | Apache RocketMQ: Possible remote code execution when using the update configuration functi |
IV. Related Vulnerabilities
Same product: Apache Jena
- CVE-2025-50151
Apache Jena: Configuration files uploaded by administrative - CVE-2025-49656
Apache Jena: Administrative users can create files outside t - CVE-2023-22665
Apache Jena: Exposure of arbitrary execution in script engin - CVE-2022-28890
Processing external DTDs - CVE-2021-39239
XML External Entity (XXE) vulnerability
Same vendor: Apache Software Foundation
- CVE-2026-35194
Apache Flink: Remote code execution via SQL injection in cod - CVE-2026-45205
Apache Commons Configuration: StackOverflowError for YAML in - CVE-2026-43515
Apache Tomcat: Security constraints not correctly applied - CVE-2026-43514
Apache Tomcat: AJP secret compared in non-constant time - CVE-2026-43513
Apache Tomcat: LockOutRealm treats user names as case-sensit
Same weakness: CWE-917
- CVE-2026-8759
xiandafu beetl SpELFunction SpELFunction.java expression lan - CVE-2026-41901
Thymeleaf: Improper recognition of unauthorized syntax patte - CVE-2026-41705
VMware Spring AI 安全漏洞 - CVE-2026-41883
OmniFaces: EL injection via crafted resource name in wildcar - CVE-2026-42811
Apache Polaris: could broaden vended GCS credentials through
V. Comments for CVE-2023-32200
No comments yet