(jena-site) branch main updated: Update advisories.md

Mon, 21 Jul 2025 11:08:34 -0700 

This is an automated email from the ASF dual-hosted git repository.

andy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/jena-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 536c85e4e Update advisories.md
536c85e4e is described below

commit 536c85e4e286fa5e08c802099f8ac051688c9f42
Author: Andy Seaborne <[email protected]>
AuthorDate: Mon Jul 21 19:08:25 2025 +0100

    Update advisories.md
    
    Co-authored-by: Rob Vesse <[email protected]>
---
 source/security/advisories.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/source/security/advisories.md b/source/security/advisories.md
index b3dde4373..2cb90d188 100644
--- a/source/security/advisories.md
+++ b/source/security/advisories.md
@@ -14,6 +14,29 @@ the latest Jena release available.
 
 Please refer to the individual CVE links for further details and mitigations.
 
+
+**CVE-2025-50151 - Configuration files uploaded by administrative users are 
not check properly**
+
+[CVE-2025-50151](https://www.cve.org/CVERecord?id=CVE-2025-50151) affects Jena
+Fuseki in versions up to 5.4.0.
+
+Configuration files could be uploaded by users with administrator access via 
the
+network. The file paths in configuration files were not validated and could
+refer to directories and files outside of the Fuseki server instance.
+
+This configuration file upload feature has been removed in Jena Fuseki 5.5.0.
+
+**CVE-2025-49656 - Administrative users can create files outside the server 
directory space via the admin UI**
+
+[CVE-2025-49656](https://www.cve.org/CVERecord?id=CVE-2025-49656)  affects Jena
+Fuseki in versions up to 5.4.0.
+
+Users with administrator access can create databases that refer to files 
outside
+the files area of the Fuseki server.
+
+Users are recommended to upgrade to version 5.5.0 where path names are 
validated
+and restricted to the files area of the Fuseki server instance.
+
 **CVE-2023-32200 - Exposure of execution in script engine expressions**
 
 [CVE-2023-32200](https://www.cve.org/CVERecord?id=CVE-2023-32200) affects Jena

Reply via email to