Login Sign Up

CVE-2023-25141

7.5 HIGH
Remote Code Execution

📋 TL;DR

This critical vulnerability in Apache Sling JCR Base allows remote code execution through JNDI/RMI injection when running on older JDK versions. Attackers can exploit utility functions to access and execute code from remote locations. Organizations using Apache Sling JCR Base versions before 3.1.12 on JDK 1.8.191 or earlier are affected.

💻 Affected Systems

Products:
  • Apache Sling JCR Base
Versions: Versions < 3.1.12
Operating Systems: All operating systems running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when running on JDK 1.8.191 or earlier versions

📦 What is this software?

Sling Jcr Base by Apache

View all CVEs affecting Sling Jcr Base →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, access sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, service disruption, or deployment of malware/ransomware.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for application-level compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

JNDI/RMI injection vulnerabilities are well-understood and frequently exploited in the wild

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apache Sling JCR Base 3.1.12 or later

Vendor Advisory: https://sling.apache.org/news.html

Restart Required: Yes

Instructions:

1. Download Apache Sling JCR Base 3.1.12 or later from official Apache repositories. 2. Replace the vulnerable JAR files with patched versions. 3. Restart all affected services. 4. Alternatively, upgrade JDK to version 1.8.192 or later.

🔧 Temporary Workarounds

JDK Upgrade

all

Upgrade to JDK 1.8.192 or later to mitigate the vulnerability without patching Apache Sling

sudo apt-get update && sudo apt-get install openjdk-8-jdk
yum update java-1.8.0-openjdk

Network Restrictions

linux

Block outbound RMI and JNDI connections from affected systems

iptables -A OUTPUT -p tcp --dport 1099 -j DROP
iptables -A OUTPUT -p tcp --dport 389 -j DROP

🧯 If You Can't Patch

  • Immediately upgrade JDK to version 1.8.192 or later
  • Implement strict network segmentation and firewall rules to block RMI/JNDI outbound connections

🔍 How to Verify

Check if Vulnerable:

Check Apache Sling JCR Base version and JDK version. If JCR Base < 3.1.12 AND JDK ≤ 1.8.191, system is vulnerable.

Check Version:

java -version && check Maven/Gradle dependencies for org.apache.sling:org.apache.sling.jcr.base version

Verify Fix Applied:

Verify Apache Sling JCR Base version is ≥ 3.1.12 OR JDK version is ≥ 1.8.192

📡 Detection & Monitoring

Log Indicators:

  • Unusual JNDI lookup patterns
  • RMI connection attempts to external IPs
  • Class loading from unexpected sources

Network Indicators:

  • Outbound connections to RMI ports (1099)
  • LDAP/JNDI queries to external servers

SIEM Query:

source="*apache-sling*" AND (jndi OR rmi OR "RepositoryAccessor")

📊 Metadata

CVE ID: CVE-2023-25141
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-74
Published: February 14, 2023
Last Updated: March 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25141, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)