CVE-2022-28890: Processing external DTDs
First published: Thu May 05 2022(Updated: )
A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 and prior versions. Apache Jena 4.2.x and 4.3.x do not allow external entities.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Jena | =4.4.0 | |
| Apache Jena | <4.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2022-28890?
CVE-2022-28890 is a vulnerability in the RDF/XML parser of Apache Jena that allows an attacker to retrieve external DTDs.
Which versions of Apache Jena are affected by CVE-2022-28890?
Apache Jena versions 4.4.0 and prior are affected by CVE-2022-28890.
How does CVE-2022-28890 impact Apache Jena?
CVE-2022-28890 allows an attacker to cause an external DTD to be retrieved, posing a potential security risk to Apache Jena.
How severe is CVE-2022-28890?
CVE-2022-28890 has a severity score of 9.8 (critical).
How can I fix CVE-2022-28890?
To fix CVE-2022-28890, upgrade to Apache Jena version 4.5.0 or later.
- collector/github-advisory-latest
- alias/GHSA-gchv-364h-r896
- alias/CVE-2022-28890
- collector/nvd-index
- collector/github-advisory
- collector/nvd-api
- collector/nvd-cve
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/author
- agent/last-modified-date
- agent/tags
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- package-manager/maven
- vendor/apache
- canonical/apache jena
- version/apache jena/4.4.0