CVE-2022-41852 in commons-jxpath-1.3

Netflix / eureka

AWS Service registry for resilient mid-tier load balancing and failover.

Apache License 2.0

12.44k stars 3.75k forks source link

CVE-2022-41852 in commons-jxpath-1.3 #1471

Open RunFox opened 2 years ago

RunFox commented 2 years ago

Hello. There is CVE-2022-41852 with high level risk in commons-jxpath-1.3. This library is transitive for com.netflix.eureka:eureka-client:1.10.17 Any patch?

ralberts commented 2 years ago

I am looking into a solution for this as well.

spencergibb commented 2 years ago

My guess is that eureka is not vulnerable to "untrusted XPath expressions may be vulnerable to a remote code execution", because it doesn't allow any untrusted XPath expressions

habelson commented 2 years ago

For those who are interested, there appears to be interesting discussion about this issue here: https://github.com/apache/commons-jxpath/pull/25 https://github.com/apache/commons-jxpath/pull/26