Miggo Logo

CVE-2021-33192:
Cross-site scripting in Apache Jena Fuseki

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.94445%
Published
8/13/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.jena:jena-fusekimaven>= 2.0.0, <= 4.0.04.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in HTML page generation with unescaped user input. While exact patch details are unavailable, analysis focuses on: 1) Core data handling classes (DataAccessPointRegistry) that manage dataset names displayed in admin UI 2) Query processing servlets (SPARQL_QueryGeneral) that render user-provided query parameters in HTML responses. These components likely passed dataset names or query parameters to templating systems without adequate output encoding prior to the 4.1.0 patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in t** *TML p***s o* *p**** J*n* *us*ki *llows *n *tt**k*r to *x**ut* *r*itr*ry j*v*s*ript on **rt*in p*** vi*ws. T*is issu* *****ts *p**** J*n* *us*ki *rom v*rsion *.*.* to v*rsion *.*.* (in*lusiv*).

Reasoning

T** vuln*r**ility m*ni**sts in *TML p*** **n*r*tion wit* un*s**p** us*r input. W*il* *x**t p*t** **t*ils *r* un*v*il**l*, *n*lysis *o*us*s on: *) *or* **t* **n*lin* *l*ss*s (`**t*****ssPointR**istry`) t**t m*n*** **t*s*t n*m*s *ispl*y** in **min UI *