On 20/07/2023 17:18, Brandon Sara wrote:
I just came across CVE-2023-32200 and was wondering, is it different than
CVE-2023-22665 and, if so, how is it different?
Jena 4.8.0 addresses CVE-2023-22665 by requiring the Java system
property "jena:scripting" to enable scripting.
Jena 4.9.0 addresses CVE-2023-32200 which happens if scripting is
enabled (4.8.0). The change goes further than only addressing the
security issue by requiring script functions to be in an "allowed" list;
that is, there is an API contract for callable scripts. Other functions
in the script file are not callable which should help development.
Running Java17 means there is no scripting engine unless the deployment
has added one. Java11 has a scriting engine in the JDK.
Andy
