Update bundled Pellet/Jena dependency – CVE-2021-39239 (XXE)

Hi,

Owlready2 currently bundles Pellet with ` jena-core-2.10.0.jar`. This version of Apache Jena is affected by **CVE-2021-39239**, an XML External Entity (XXE) vulnerability fixed upstream in **Jena 4.2.0+**.

This shows up as a HIGH-severity finding in container and supply-chain security scanners when Owlready2 is used in production environments.

References:
- [https://nvd.nist.gov/vuln/detail/CVE-2021-39239](https://nvd.nist.gov/vuln/detail/CVE-2021-39239)
- [https://github.com/advisories/GHSA-7rp6-w7mg-h8rw](https://github.com/advisories/GHSA-7rp6-w7mg-h8rw)

Would it be possible to:
- Update the bundled Pellet/Jena dependency, or
- Provide a way to disable XML external entity processing.

Happy to help test or validate a fix if needed. Thanks for maintaining Owlready2.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update bundled Pellet/Jena dependency – CVE-2021-39239 (XXE) #53

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Update bundled Pellet/Jena dependency – CVE-2021-39239 (XXE) #53

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions