Bharath Mohanraj created JXPATH-201:
---------------------------------------
Summary: CVE-2022-41852 RCE vulnerability in JXPathContext class
functions
Key: JXPATH-201
URL: https://issues.apache.org/jira/browse/JXPATH-201
Project: Commons JXPath
Issue Type: Bug
Affects Versions: 1.3
Environment: Steps to Reproduce:
- Issue reported here is, all functions in the class JXPathContext (except
compile and compilePath) are vulnerable to a remote code execution attack. - An
arbitrary code can be injected in the xpath values passed to these functions,
and it allows triggering java classes that can exploit the target machine.
- For instance, the iterate() method in the JXPathContext class, can be invoked
by passing the xpath argument value as, java.lang.Thread.sleep(9999999) or
java.lang.Class.forName("ExploitTest"). These examples can result in triggering
the injected java code, and can exploit the target machine.
- Example:
JXPathContext context = JXPathContext.newContext(new Test() );
Iterator result = context.iterate("java.lang.Thread.sleep(9999999)");
System.out.println("result.hasNext() - " + result.hasNext());
Reporter: Bharath Mohanraj
Those using JXPath to interpret untrusted XPath expressions may be vulnerable
to a remote code execution attack. All JXPathContext class functions processing
a XPath string are vulnerable except compile() and compilePath() function. The
XPath expression can be used by an attacker to load any Java class from the
classpath resulting in code execution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
