CVE-2022-28890 — XML External Entity Reference in apache jena

Description

A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.

How to fix CVE-2022-28890

To remediate CVE-2022-28890, upgrade the affected package to a fixed version below.

Debian/apache-jena—upgrade to 4.5.0-1 or later
—upgrade to 4.5.0 or later

Is CVE-2022-28890 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.5.0-1
>= 4.4.0, < 4.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-28890
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-28890
PATCHgitbox.apache.org/repos/asf/jena.git
WEBjena.apache.org/about_jena/security-advisories.html#cve-2022-28890---processing-external-dtds