Description

Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI. Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.

Remediation

References

https://sling.apache.org/news.html

Related Vulnerabilities

CVE-2023-32989 Vulnerability in maven package org.jenkins-ci.plugins:azure-vm-agents

CVE-2010-2276 Vulnerability in npm package dojo

CVE-2022-36881 Vulnerability in maven package org.jenkins-ci.plugins:git-client

CVE-2021-32730 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2021-41184 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui

Severity

High

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory