Sign In

CVE-2022-4065

ADVISORY - github

Summary

Impact

Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser.

The manipulation leads to path traversal only for .xml, .yaml and .yml files by default. The attack implies running an unsafe test JAR. However since that JAR can also contain executable code itself, the path traversal is unlikely to be the main attack.

Patches

A patch is available in version 7.7.0 at commit 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to apply a patch to fix this issue. The patch was pushed into the master branch but no releases have yet been made with the patch included.

A backport of the fix is available in version 7.5.1 for Java 8 projects.

Workaround

  • Specify which tests to run when invoking TestNG by configuring them on the CLI or in the build tool controlling the run.
  • Do not run tests with untrusted JARs on the classpath, this includes pull requests on open source projects.
EPSS Score: 0.00276 (0.506)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - github

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

ADVISORY - redhat

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2022-4065
EXPLOITABILITY SCORE

2.1

EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

5.5medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-rc2q-x9mf-w3vf
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

7.8high

Debian

CREATED

UPDATED

ADVISORY IDCVE-2022-4065
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Ubuntu

CREATED

UPDATED

ADVISORY IDCVE-2022-4065
EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.8medium

GitLab

CREATED

UPDATED

ADVISORY ID

CVE-2022-4065

EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-22CWE-937

CVSS SCORE

7.8high

Red Hat

CREATED

UPDATED

ADVISORY IDCVE-2022-4065
EXPLOITABILITY SCORE

1.0

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22

CVSS SCORE

7medium

intheWild

CREATED

UPDATED

ADVISORY IDCVE-2022-4065
EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY