CVE-2021-33192:
Cross-site scripting in Apache Jena Fuseki
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.94445%
CWE
Published
8/13/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.jena:jena-fuseki | maven | >= 2.0.0, <= 4.0.0 | 4.1.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in HTML page generation with unescaped user input. While exact patch details are unavailable, analysis focuses on: 1) Core data handling classes (DataAccessPointRegistry
) that manage dataset names displayed in admin UI 2) Query processing servlets (SPARQL_QueryGeneral
) that render user-provided query parameters in HTML responses. These components likely passed dataset names or query parameters to templating systems without adequate output encoding prior to the 4.1.0 patch.