[jena-site] branch main updated: Record CVE-2023-32200 (#164)

[andy]

This is an automated email from the ASF dual-hosted git repository.

andy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/jena-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 2f8aa5d13 Record CVE-2023-32200 (#164)
2f8aa5d13 is described below

commit 2f8aa5d1320a6403139dbdd69098ff2329b58697
Author: Andy Seaborne <a...@apache.org>
AuthorDate: Tue Jul 11 20:47:52 2023 +0100

    Record CVE-2023-32200 (#164)
---
 source/about_jena/security-advisories.md | 80 +++++++++++++++++++++-----------
 1 file changed, 52 insertions(+), 28 deletions(-)

diff --git a/source/about_jena/security-advisories.md 
b/source/about_jena/security-advisories.md
index 65f375f94..9146c21e3 100644
--- a/source/about_jena/security-advisories.md
+++ b/source/about_jena/security-advisories.md
@@ -2,9 +2,10 @@
 title: Jena Security Advisories
 ---
 
-The Jena project has issued a number of security advisories during the 
lifetime of the project.  On this page you'll
-find details of our [security issue process](#process), as well as a listing 
of our past [CVEs](#jena-cves) as well as relevant [Dependency 
CVEs](#cves-in-jena-dependencies).
-
+The Jena project has issued a number of security advisories during the 
lifetime of the
+project. On this page you'll find details of our [security issue
+process](#process), as a listing of our past [CVEs](#jena-cves) and 
+relevant [Dependency CVEs](#cves-in-jena-dependencies).
 
 ## Process
 
@@ -14,19 +15,21 @@ reporting and addressing security issues.
 If you think you have identified a Security issue in our project please refer 
to that policy for how to report it, and
 the process that the Jena Project Management Committee (PMC) will follow in 
addressing the issue.
 
-## Single Supported Version
+### Single Supported Version
 
 As a project, Apache Jena only has the resources to maintain a single release
-version.  Any accepted security issue will be fixed in a future release in a 
timeframe appropriate to the severity of the issue.  
+version.  Any accepted security issue will be fixed in a future release in a
+timeframe appropriate to the severity of the issue.
 
-## Standard Mitigation Advice
+### Standard Mitigation Advice
 
-Note that as a project our guidance to users is **always** to use the newest 
Jena version available to ensure you have
-any security fixes we have made available.
+Note that as a project our guidance to users is *always* to use the newest
+Jena version available to ensure you have any security fixes we have made
+available.
 
-Where more specific mitigations are available these will be denoted in the 
individual CVEs.
+Where more specific mitigations are available, these will be denoted in the 
individual CVEs.
 
-## End of Life (EOL) Components
+### End of Life (EOL) Components
 
 Where a security advisory is issued for a component that is already EOL 
(sometimes referred to as archived or retired
 within our documentation) then we will not fix the issue but instead reiterate 
our previous recommendations that users
@@ -36,36 +39,57 @@ Such issues will follow the [CVE EOL Assignment
 
Process](https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html)
 and will be clearly denoted
 by the **UNSUPPORTED WHEN ASSIGNED** text at the start of the description.
 
-## Security Issues in Dependencies
+### Security Issues in Dependencies
 
-For our dependencies the project relies primarily upon GitHub Dependabot 
Alerts to be made aware of available dependency
+For our dependencies, the project relies primarily upon GitHub Dependabot 
Alerts to be made aware of available dependency
 updates, whether security related or otherwise.  When a security related 
update is released and our analysis shows that
 Jena users may be affected we endeavour to take the dependency upgrade ASAP 
and make a new release in timeframe
 appropriate to the severity of the issue.
 
-# Jena CVEs
+## Jena CVEs
 
 The following CVEs specifically relate to the Jena codebase itself and have 
been addressed by the project. Per our
 policy above we advise users to always utilise the latest Jena release 
available.
 
 Please refer to the individual CVE links for further details and mitigations.
 
-## CVE-2023-22665 - Exposure of arbitrary execution in script engine 
expressions.
+#### CVE-2023-32200 - Exposure of execution in script engine expressions.
+
+[CVE-2023-32200](https://www.cve.org/CVERecord?id=CVE-2023-32200) affects Jena 
3.7.0
+through Jena 4.8.0 and relates to the
+[Javascript SPARQL 
Functions](https://jena.apache.org/documentation/query/javascript-functions.html)
 
+feature of our ARQ SPARQL engine.
+
+There is insufficient restrictions of called script functions in Apache Jena
+versions 4.8.0 and earlier, when invoking custom scripts. It allows a remote
+user to execute javascript via a SPARQL query.
+
+From Jena 4.9.0, script functions **MUST** be added to an explicit "allow" list
+for them to be called from the SPARQL query engine. This is in addition to the
+script enabling controls of Jena 4.8.0 which **MUST** also be applied.
+
+Users should upgrade to latest Jena 4.x [release](../download/) available.
+
+#### CVE-2023-22665 - Exposure of arbitrary execution in script engine 
expressions.
 
-[CVE-2023](https://www.cve.org/CVERecord?id=CVE-2023-22665) affects Jena 3.7.0 
through 4.7.0 and relates to the
-[Javascript SPARQL 
Functions](https://jena.apache.org/documentation/query/javascript-functions.html)
 feature of our ARQ
-SPARQL engine.
+[CVE-2023-22665](https://www.cve.org/CVERecord?id=CVE-2023-22665) affects Jena
+3.7.0 through 4.7.0 and relates to the 
+[Javascript SPARQL 
Functions](https://jena.apache.org/documentation/query/javascript-functions.html)
+feature of our ARQ SPARQL engine.
 
-From Jena 4.8.0 onwards this feature **MUST** be explicitly enabled by end 
users, and on newer JVMs (Java 17 onwards) a
-JavaScript script engine **MUST** be explicitly added to the environment.
+From Jena 4.8.0 onwards this feature **MUST** be explicitly enabled by end
+users, and on newer JVMs (Java 17 onwards) a JavaScript script engine **MUST**
+be explicitly added to the environment.
 
-However, when enabled this feature does expose the majority of the underlying 
scripting engine directly to SPARQL
-queries so may provide a vector for arbitrary code execution.  Therefore, it 
is recommended that this feature remain
-disabled for any publicly accessible deployment that utilises the ARQ query 
engine.
+However, when enabled this feature does expose the majority of the underlying
+scripting engine directly to SPARQL queries so may provide a vector for
+arbitrary code execution.  Therefore, it is recommended that this feature 
remain
+disabled for any publicly accessible deployment that utilises the ARQ query
+engine.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
 
-## CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB
+#### CVE-2022-45136 - JDBC Serialisation in Apache Jena SDB
 
 [CVE-2022-45136](https://www.cve.org/CVERecord?id=CVE-2022-45136) affects all 
versions of [Jena
 SDB](../documentation/archive/sdb/) up to and including the final `3.17.0` 
release.
@@ -75,7 +99,7 @@ Apache Jena SDB has been EOL since December 2020 and we 
recommend any remaining
 
 Apache Jena would like to thank Crilwa & LaNyer640 for reporting this issue
 
-## CVE-2022-28890 - Processing External DTDs
+#### CVE-2022-28890 - Processing External DTDs
 
 [CVE-2022-28890](https://www.cve.org/CVERecord?id=CVE-2022-28890) affects the 
RDF/XML parser in Jena 4.4.0
 only.
@@ -85,26 +109,26 @@ Users should upgrade to latest Jena 4.x 
[release](../download/) available.
 Apache Jena would like to thank Feras Daragma, Avishag Shapira & Amit Laish 
(GE Digital, Cyber Security Lab) for their
 report.
 
-## CVE-2021-39239 - XML External Entity (XXE) Vulnerability
+#### CVE-2021-39239 - XML External Entity (XXE) Vulnerability
 
 [CVE-2021-39239](https://www.cve.org/CVERecord?id=CVE-2021-39239) affects XML 
parsing up to and including the Jena `4.1.0` release.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
 
-## CVE-2021-33192 - Display information UI XSS in Apache Jena Fuseki
+#### CVE-2021-33192 - Display information UI XSS in Apache Jena Fuseki
 
 [CVE-2021-33192](https://www.cve.org/CVERecord?id=CVE-2021-33192) affected
 [Fuseki](../documentation/fuseki2/) versions `2.0.0` through `4.0.0`.
 
 Users should upgrade to latest Jena 4.x [release](../download/) available.
 
-# CVEs in Jena Dependencies
+## CVEs in Jena Dependencies
 
 The following advisories are CVEs in Jena's dependencies that may affect users 
of Jena, as with Jena specific CVEs our
 standard [Security Issue Policy](#security-issue-policy) applies and any 
necessary dependency updates, dependency API
 and/or configuration changes have been adopted and released as soon as 
appropriate.
 
-## log4shell
+#### log4shell
 
 [CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45046),
 [CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45105) and