Vulnerability-Lookup

CNVD-2023-25933

Vulnerability from cnvd - Published: 2023-04-12

Title

Apache Sling JNDI注入漏洞

Description

Apache Sling是美国阿帕奇（Apache）基金会的一个 Java 平台的开源Web框架。旨在在符合 JSR-170 的内容存储库（例如 Apache Jackrabbit ）上创建以内容为中心的应用程序。 Apache Sling JCR Base 3.1.12之前版本存在JNDI注入漏洞，该漏洞源于jndiName这个变量对于输入的数据缺乏正确验证，攻击者可利用该漏洞通过函数getRepository和 getRepositoryFromURL允许应用程序通过JDNI和RMI访问存储在远程位置的数据。

Severity

高

Patch Name

Apache Sling JNDI注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://sling.apache.org/news.html

Reference

https://cxsecurity.com/cveshow/CVE-2023-25141/

Impacted products

Name
Apache Apache Sling <3.1.12

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-25141",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-25141"
    }
  },
  "description": "Apache Sling\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a Java \u5e73\u53f0\u7684\u5f00\u6e90Web\u6846\u67b6\u3002\u65e8\u5728\u5728\u7b26\u5408 JSR-170 \u7684\u5185\u5bb9\u5b58\u50a8\u5e93\uff08\u4f8b\u5982 Apache Jackrabbit \uff09\u4e0a\u521b\u5efa\u4ee5\u5185\u5bb9\u4e3a\u4e2d\u5fc3\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\n\nApache Sling JCR Base 3.1.12\u4e4b\u524d\u7248\u672c\u5b58\u5728JNDI\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8ejndiName\u8fd9\u4e2a\u53d8\u91cf\u5bf9\u4e8e\u8f93\u5165\u7684\u6570\u636e\u7f3a\u4e4f\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u51fd\u6570getRepository\u548c getRepositoryFromURL\u5141\u8bb8\u5e94\u7528\u7a0b\u5e8f\u901a\u8fc7JDNI\u548cRMI\u8bbf\u95ee\u5b58\u50a8\u5728\u8fdc\u7a0b\u4f4d\u7f6e\u7684\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://sling.apache.org/news.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-25933",
  "openTime": "2023-04-12",
  "patchDescription": "Apache Sling\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a Java \u5e73\u53f0\u7684\u5f00\u6e90Web\u6846\u67b6\u3002\u65e8\u5728\u5728\u7b26\u5408 JSR-170 \u7684\u5185\u5bb9\u5b58\u50a8\u5e93\uff08\u4f8b\u5982 Apache Jackrabbit \uff09\u4e0a\u521b\u5efa\u4ee5\u5185\u5bb9\u4e3a\u4e2d\u5fc3\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nApache Sling JCR Base 3.1.12\u4e4b\u524d\u7248\u672c\u5b58\u5728JNDI\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8ejndiName\u8fd9\u4e2a\u53d8\u91cf\u5bf9\u4e8e\u8f93\u5165\u7684\u6570\u636e\u7f3a\u4e4f\u6b63\u786e\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u51fd\u6570getRepository\u548c getRepositoryFromURL\u5141\u8bb8\u5e94\u7528\u7a0b\u5e8f\u901a\u8fc7JDNI\u548cRMI\u8bbf\u95ee\u5b58\u50a8\u5728\u8fdc\u7a0b\u4f4d\u7f6e\u7684\u6570\u636e\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Sling JNDI\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache Sling \u003c3.1.12"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2023-25141/",
  "serverity": "\u9ad8",
  "submitTime": "2023-02-17",
  "title": "Apache Sling JNDI\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2023-25141 (GCVE-0-2023-25141)

Vulnerability from cvelistv5 – Published: 2023-02-14 12:12 – Updated: 2025-03-20 18:11

Title

JNDI injection into Apache sling-org-apache-sling-jcr-base

Summary

Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI. Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.

Severity ?

No CVSS data available.

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

apache

References

URL

Tags

https://sling.apache.org/news.html

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Sling JCR Base	Affected: 2.0.6 , < 3.1.12 (maven)

Credits

Xun Bai from LJQC Open Source Security Institute

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:18:35.247Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://sling.apache.org/news.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-25141",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-20T18:11:00.552684Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-74",
                "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-20T18:11:22.386Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Sling JCR Base",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.1.12",
              "status": "affected",
              "version": "2.0.6",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Xun Bai from LJQC Open Source Security Institute "
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eApache Sling JCR Base \u0026lt; 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eUsers of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.\u003c/div\u003e"
            }
          ],
          "value": "Apache Sling JCR Base \u003c 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI.\n\n\n\n\nUsers of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.\n\n"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "critical"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-14T12:12:21.224Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://sling.apache.org/news.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "JNDI injection into Apache sling-org-apache-sling-jcr-base",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-25141",
    "datePublished": "2023-02-14T12:12:21.224Z",
    "dateReserved": "2023-02-03T12:48:07.674Z",
    "dateUpdated": "2025-03-20T18:11:22.386Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-25933

CVE-2023-25141 (GCVE-0-2023-25141)

Tags

Sightings

Nomenclature