Login Sign Up

CVE-2022-28890

9.8 CRITICAL
SSRF XXE

📋 TL;DR

This vulnerability in Apache Jena's RDF/XML parser allows attackers to force the parser to retrieve external DTDs, potentially leading to XML External Entity (XXE) attacks. It affects Apache Jena versions 4.4.0 and prior, though versions 4.2.x and 4.3.x have some protections. Applications using vulnerable Jena versions to parse untrusted RDF/XML content are at risk.

💻 Affected Systems

Products:
  • Apache Jena
Versions: Apache Jena 4.4.0 and prior versions
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Versions 4.2.x and 4.3.x have some protections but may still be affected; only applications parsing RDF/XML are vulnerable.

📦 What is this software?

Jena by Apache

View all CVEs affecting Jena →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution, server-side request forgery (SSRF), or data exfiltration via XXE attacks when parsing malicious RDF/XML files.

🟠

Likely Case

Information disclosure through file reading or SSRF to internal services, potentially leading to further compromise.

🟢

If Mitigated

Limited impact if external entity processing is disabled or input validation prevents malicious payloads.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the application to parse attacker-controlled RDF/XML content; XXE techniques are well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Jena 4.5.0 or later

Vendor Advisory: https://lists.apache.org/thread/h88oh642455wljo0p5jgzs9phk4gj878

Restart Required: Yes

Instructions:

1. Upgrade Apache Jena to version 4.5.0 or later. 2. Update dependencies in your project to use the patched version. 3. Restart any services using Jena.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure the XML parser to disallow external DTDs and entities.

Set XML parser properties: FEATURE_SECURE_PROCESSING = true, disallow-doctype-decl = true

Input validation

all

Validate or sanitize RDF/XML input before parsing.

🧯 If You Can't Patch

  • Implement strict input validation to reject or sanitize untrusted RDF/XML content.
  • Use network segmentation to limit outbound connections from affected systems.

🔍 How to Verify

Check if Vulnerable:

Check the Apache Jena version in use; if it's 4.4.0 or earlier, it's vulnerable.

Check Version:

Check project dependencies or run: java -cp jena-core.jar org.apache.jena.JenaSystem --version

Verify Fix Applied:

Confirm the version is 4.5.0 or later and test with a safe XXE payload to ensure no external requests are made.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected outbound HTTP requests from the application, especially to internal or external DTD URLs.
  • Errors or warnings related to XML parsing failures.

Network Indicators:

  • Outbound requests to unusual domains or internal IPs triggered by XML parsing.

SIEM Query:

source="application_logs" AND ("external entity" OR "DTD" OR "XXE")

📊 Metadata

CVE ID: CVE-2022-28890
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-611
Published: May 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28890, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)