9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-45136

GHSA ID

GHSA-g2qw-6vrr-v6pq

EPSS Score

CWE

CWE-502

Published

11/14/2022

Updated

8/2/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-45136

CVE-2022-45136:
Apache Jena vulnerable to Deserialization of Untrusted Data

Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of attack. As a result an application using Apache Jena SDB can be subject to RCE when connected to a malicious database server. Apache Jena SDB has been EOL since December 2020 and users should migrate to alternative options e.g. Apache Jena TDB 2.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-45136

GHSA ID

GHSA-g2qw-6vrr-v6pq

EPSS Score

CWE

CWE-502

Published

11/14/2022

Updated

8/2/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.jena:jena-sdb	maven	<= 3.17.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure usage of JDBC connections (particularly with MySQL drivers) rather than specific functions in Apache Jena SDB's codebase. The advisory indicates the root cause is improper handling of JDBC URL parameters (e.g., failing to disable 'autoDeserialize') and deserialization of untrusted data from database responses. However, no specific functions or code paths in Jena SDB are explicitly mentioned in the provided vulnerability details, commit diffs, or patch information. The vulnerability manifests through integration patterns with vulnerable JDBC drivers rather than identifiable functions within the Jena SDB package itself. This analysis is limited by the lack of code-specific references in the provided advisories and the EOL status of Jena SDB preventing patch analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** J*n* S** *.**.* *n* **rli*r is vuln*r**l* to * J*** **s*ri*lis*tion *tt**k i* t** *tt**k*r is **l* to *ontrol t** J*** URL us** or **us* t** un**rlyin* **t***s* s*rv*r to r*turn m*li*ious **t*. T** mySQL J*** *riv*r in p*rti*ul*r is known to *

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* us*** o* J*** *onn**tions (p*rti*ul*rly wit* MySQL *riv*rs) r*t**r t**n sp**i*i* *un*tions in *p**** J*n* S**'s *o****s*. T** **visory in*i**t*s t** root **us* is improp*r **n*lin* o* J*** URL p*r*m*t*rs (*.*., *

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-45136: Apache Jena vulnerable to Deserialization of Untrusted Data

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-45136:
Apache Jena vulnerable to Deserialization of Untrusted Data

Vulnerability Intelligence
Miggo AI