A Remote Code Execution in JXPath Library (CVE-2022-41852)

​

 Source :-https://tutorialboy24.blogspot.com/2022/10/a-remote-code-execution-in-jxpath.html

 

On 6th October 2022 new CVE was released for critical vulnerability with the identifier CVE-2022-41852. This vulnerability affects a Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability.

According to NIST the vulnerability score is 9.8 CRITICAL with CVSS:

Currently, there is no official fix for this vulnerability, but we might have a solution that should protect the application, however, it will disable the use of functions in all XPaths completely.

Are You Vulnerable?

If your application uses the JXPath library (artifact commons-jxpath:commons-jxpath), you might be vulnerable. According to CVE information, all methods for XPath processing are weak, except for compile() and compilePath(). If the user can provide value for the XPath expression, it might allow him to execute code on your application server (in the application context).

ArtifactId: commons-jxpath

GroupId: commons-jxpath

Package: org.apache.commons.jxpath

Version: <= 1.3

If you use SCA (Software Composition Analysis) tools like OWASP Dependency Check, BlackDuck, CxSCA and others, they will probably notify you about this vulnerability automatically.

Proof of Concept

First, let's look at the proof of concept that I created for this vulner