Apache Jena security advisories

Security information for Apache Jena

Reporting

Do you want disclose a potential security issue for Apache Jena? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Configuration files uploaded by administrative users are not check properly

CVE-2025-50151 [CVE] [CVE json] [OSV json]

Last updated: 2025-07-21T09:32:27.896Z

Affected

  • Apache Jena through 5.4.0

Description

File access paths in configuration files uploaded by users with administrator access are not validated.

This issue affects Apache Jena version up to 5.4.0.

Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.


References

Administrative users can create files outside the server directory space via the admin UI

CVE-2025-49656 [CVE] [CVE json] [OSV json]

Last updated: 2025-07-21T09:30:16.936Z

Affected

  • Apache Jena through 5.4.0

Description

Users with administrator access can create databases files outside the files area of the Fuseki server.

This issue affects Apache Jena version up to 5.4.0.

Users are recommended to upgrade to version 5.5.0, which fixes the issue.

References

Credits

  • Noriaki Iwasaki; Cyber Defense Institute, Inc (reporter)

Exposure of execution in script engine expressions.

CVE-2023-32200 [CVE] [CVE json] [OSV json]

Last updated: 2023-07-12T07:50:01.786Z

Affected

  • Apache Jena from 3.7.0 through 4.8.0

Description

There is insufficient restrictions of called script functions in Apache Jena versions 4.8.0 and earlier. It allows a remote user to execute javascript via a SPARQL query.

This issue affects Apache Jena: from 3.7.0 through 4.8.0.

References

Credits

  • s3gundo of Alibaba (reporter)

Exposure of arbitrary execution in script engine expressions.

CVE-2023-22665 [CVE] [CVE json] [OSV json]

Last updated: 2023-04-25T07:09:43.803Z

Affected

  • Apache Jena through 4.7.0

Description

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

References

Credits

  • L3yx of Syclover Security Team (reporter)

Apache Jena SDB allows arbitrary deserialisation via JDBC

CVE-2022-45136 [CVE] [CVE json] [OSV json]

Last updated: 2022-11-14T15:41:09.479Z

Affected

  • Apache Jena SDB from unspecified through 3.17.0

Description

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server.

Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2

References

Credits

  • Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue

Processing external DTDs

CVE-2022-28890 [CVE] [CVE json] [OSV json]

Last updated: 2022-05-05T08:34:36.622Z

Affected

  • Apache Jena from Apache Jena through 4.4.0

Description

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

References

Credits

  • Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish (GE Digital, Cyber Security Lab) for their report.

XML External Entity (XXE) vulnerability

CVE-2021-39239 [CVE] [CVE json] [OSV json]

Last updated: 2021-09-16T14:16:06.658Z

Affected

  • Apache Jena from unspecified before 4.1.0

Description

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

References

Display information UI XSS

CVE-2021-33192 [CVE] [CVE json] [OSV json]

Last updated: 2021-07-05T09:09:33.148Z

Affected

  • Apache Jena Fuseki at Apache Jena Fuseki2 2.0.0 to 4.0.0

Description

A vulnerability in the HTML pages of Apache Jena Fuseki allows an attacker to execute arbitrary javascript on certain page views. This issue affects Apache Jena Fuseki from version 2.0.0 to version 4.0.0 (inclusive).

References

Credits

  • Apache Jena would like to thank Luka Safonov for reporting this issue.