A vulnerability in the RDF/XML parser of Apache Jena allows an attacker to cause an external DTD to be retrieved. This issue affects Apache Jena version 4.4.0 only. Apache Jena 4.2.x and 4.3.x do not allow external entities.

Affected Packages

Maven org.apache.jena:jena

Affected versions: 4.4.0 (fixed in 4.5.0)

Related CVEs

CVE-2022-28890

Key Information

GHSA ID

GHSA-gchv-364h-r896

Published

May 6, 2022 12:00 AM

Last Modified

October 13, 2023 9:07 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.jena:jena

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.