7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39239

GHSA ID

GHSA-7rp6-w7mg-h8rw

EPSS Score

0.55328%

CWE

CWE-611

Published

9/20/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-39239

CVE-2021-39239: XML External Entity Reference in Apache Jena

A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-39239

GHSA ID

GHSA-7rp6-w7mg-h8rw

EPSS Score

0.55328%

CWE

CWE-611

Published

9/20/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.jena:jena-core	maven	< 4.2.0	4.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XML parser configuration in Apache Jena's RDF/XML processing. While no explicit patch code is provided, XXE vulnerabilities in Java typically require modifications to XML parser initialization (e.g., disabling DTDs via setFeature).

Key indicators:

ARP (Jena's RDF/XML parser) is the primary XML processing component
Standard XXE fixes involve configuring SAX/DOM parsers with features like XMLConstants.FEATURE_SECURE_PROCESSING
The RDFParserBuilder would propagate these configurations to the underlying parser

Confidence is medium due to reliance on architectural patterns rather than explicit patch analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility in XML pro**ssin* in *p**** J*n*, in v*rsions up to *.*.*, m*y *llow *n *tt**k*r to *x**ut* XML *xt*rn*l *ntiti*s (XX*), in*lu*in* *xposin* t** *ont*nts o* lo**l *il*s to * r*mot* s*rv*r.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XML p*rs*r *on*i*ur*tion in *p**** J*n*'s R**/XML pro**ssin*. W*il* no *xpli*it p*t** *o** is provi***, XX* vuln*r**iliti*s in J*v* typi**lly r*quir* mo*i*i**tions to XML p*rs*r initi*liz*tion (*.*., *is**lin* *T

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-39239: XML External Entity Reference in Apache Jena

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI