Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI.
Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.
References
Link | Resource |
---|---|
https://sling.apache.org/news.html | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2023-02-14T12:12:21.224Z
Updated: 2023-02-14T12:12:21.224Z
Reserved: 2023-02-03T12:48:07.674Z
Link: CVE-2023-25141
JSON object: View
NVD Information
Status : Modified
Published: 2023-02-14T13:15:12.903
Modified: 2023-11-07T04:08:53.580
Link: CVE-2023-25141
JSON object: View
Redhat Information
No data.
CWE