CVE-2022-41852 – commons-jxpath:commons-jxpath

Package

Manager: maven
Name: commons-jxpath:commons-jxpath
Vulnerable Version: <0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: N/A

EPSS: N/A pctlN/A

Details

Withdrawn: CVE Rejected: JXPath vulnerable to remote code execution when interpreting untrusted XPath expressions ## This advisory has been withdrawn due to the CVE being rejected. ## Original advisory text Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except `compile()` and `compilePath()` function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution.

Metadata

Created: 2022-10-06T18:52:05Z
Modified: 2023-03-06T22:41:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-wrx5-rp7m-mm49/GHSA-wrx5-rp7m-mm49.json
CWE IDs: ["CWE-470"]
Alternative ID: GHSA-wrx5-rp7m-mm49
Finding: N/A
Auto approve: 0