oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-25141: JNDI injection into Apache sling-org-apache-sling-jcr-base

From: Angela Schreiber <angela () apache org>
Date: Tue, 14 Feb 2023 10:26:46 +0000
Severity: critical

Description:

Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or 
earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an 
application to access data stored in a remote location via JDNI and RMI.




Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more 
recent JDK.

Credit:

Xun Bai from LJQC Open Source Security Institute  (reporter)

References:

https://sling.apache.org/news.html
https://sling.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-25141
Previous By Date Next
Previous By Thread Next

Current thread: