'[oss-security] CVE-2023-25141: JNDI injection into Apache sling-org-apache-sling-jcr-base'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-25141: JNDI injection into Apache sling-org-apache-sling-jcr-base
From:       Angela Schreiber <angela () apache ! org>
Date:       2023-02-14 10:26:46
Message-ID: 4cce91c8-50d8-2545-c544-02d332f92a0a () apache ! org
[Download RAW message or body]

Severity: critical

Description:

Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK \
versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The \
functions getRepository and getRepositoryFromURL allow an application to access data stored in \
a remote location via JDNI and RMI.

Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or \
later, or to run on a more recent JDK.

Credit:

Xun Bai from LJQC Open Source Security Institute  (reporter)

References:

https://sling.apache.org/news.html
https://sling.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-25141

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic