GoogleOSV:GHSA-GVG3-83Q4-RFHQCommand injection in Apache Sling
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
38.4%
Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI. Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.
References
github.com/apache/sling-org-apache-sling-jcr-base
github.com/apache/sling-org-apache-sling-jcr-base/commit/6ed0a030fd5f13774aff0073c55cbe3ace0153cb
github.com/apache/sling-org-apache-sling-jcr-base/commit/779d8a7dd0437a4f31de02c0d995afcf83b9904b
issues.apache.org/jira/browse/SLING-11770
nvd.nist.gov/vuln/detail/CVE-2023-25141
sling.apache.org/news.html
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
38.4%