<p>There is no fixed version for <code>commons-jxpath:commons-jxpath</code>.</p>

Arbitrary Code Execution The advisory has been revoked - it doesn't affect any version of package commons-jxpath:commons-jxpath Open this link in a new tab

Threat Intelligence

Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-COMMONSJXPATH-3040861
published 7 Oct 2022
disclosed 6 Oct 2022
credit OSS Fuzz Team

Report a new vulnerability Found a mistake?

Introduced: 6 Oct 2022

CVE-2022-41852 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

There is no fixed version for commons-jxpath:commons-jxpath.

Amendment

This was deemed not a vulnerability.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution when interpreting untrusted XPath expressions. All JXPathContext class functions processing an XPath string are vulnerable except the compile() and compilePath() functions. The XPath expression can be used by an attacker to load any Java class from the classpath, resulting in code execution.

NOTE: This issue has been acknowledged as invalid as the library is NOT expected to handle untrusted input.