Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13cng1LXJwN20tbW00Oc4AAvLU

Withdrawn: CVE Rejected: JXPath vulnerable to remote code execution when interpreting untrusted XPath expressions

This advisory has been withdrawn due to the CVE being rejected.

Original advisory text

Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution.

Permalink: https://github.com/advisories/GHSA-wrx5-rp7m-mm49
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13cng1LXJwN20tbW00Oc4AAvLU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago

Widthdrawn: about 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-wrx5-rp7m-mm49, CVE-2022-41852
References:

Affected Packages

maven:commons-jxpath:commons-jxpath
Dependent packages: 232
Dependent repositories: 2,283
Downloads:
Affected Version Ranges: <= 1.3
No known fixed version
All affected versions: