rvesse commented on code in PR #214: URL: https://github.com/apache/jena-site/pull/214#discussion_r2218513037
########## source/security/advisories.md: ########## @@ -14,6 +14,29 @@ the latest Jena release available. Please refer to the individual CVE links for further details and mitigations. + +**CVE-2025-50151 - Configuration files uploaded by administrative users are not check properly** + +[CVE-2025-50151](https://www.cve.org/CVERecord?id=CVE-2025-50151) affects Jena +Fuseki in versions up to 5.4.0. + +Configuration files could be uploaded by users with administrator access via the +network. The file paths in configuration files were not validated and could +refer to directories and files outside of the Fuseki. Review Comment: ```suggestion refer to directories and files outside of the Fuseki server instance. ``` ########## source/security/advisories.md: ########## @@ -14,6 +14,29 @@ the latest Jena release available. Please refer to the individual CVE links for further details and mitigations. + +**CVE-2025-50151 - Configuration files uploaded by administrative users are not check properly** + +[CVE-2025-50151](https://www.cve.org/CVERecord?id=CVE-2025-50151) affects Jena +Fuseki in versions up to 5.4.0. + +Configuration files could be uploaded by users with administrator access via the +network. The file paths in configuration files were not validated and could +refer to directories and files outside of the Fuseki. + +This configuration file upload feature has been removed in Jena Fuseki 5.5.0. + +**CVE-2025-49656 - Administrative users can create files outside the server directory space via the admin UI** + +[CVE-2025-49656](https://www.cve.org/CVERecord?id=CVE-2025-49656) affects Jena +Fuseki in versions up to 5.4.0. + +Users with administrator access can create databases that refer to files outside +the files area of the Fuseki server. + +Users are recommended to upgrade to version 5.5.0 where path names are validated +and restricted to the files area of the Fuseki. Review Comment: ```suggestion and restricted to the files area of the Fuseki server instance. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@jena.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
