Source :-https://tutorialboy24.blogspot.com/2022/10/a-remote-code-execution-in-jxpath.html
On 6th October 2022 new CVE was released for critical vulnerability with the identifier CVE-2022-41852. This vulnerability affects a Java library called Apache Commons JXPath, which is used for processing XPath syntax. All versions (including latest version) are affected by this vulnerability.
According to NIST the vulnerability score is 9.8 CRITICAL with CVSS:
Currently, there is no official fix for this vulnerability, but we might have a solution that should protect the application, however, it will disable the use of functions in all XPaths completely.
Are You Vulnerable?
If your application uses the JXPath library (artifact commons-jxpath:commons-jxpath), you might be vulnerable. According to CVE information, all methods for XPath processing are weak, except for compile() and compilePath(). If the user can provide value for the XPath expression, it might allow him to execute code on your application server (in the application context).
ArtifactId: commons-jxpath
GroupId: commons-jxpath
Package: org.apache.commons.jxpath
Version: <= 1.3
If you use SCA (Software Composition Analysis) tools like OWASP Dependency Check, BlackDuck, CxSCA and others, they will probably notify you about this vulnerability automatically.
Proof of Concept
First, let's look at the proof of concept that I created for this vulner