JXPath up to 1.3 JXPathContext externally-controlled input to select classes or code
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in JXPath up to 1.3. It has been classified as problematic. Affected is the function JXPathContext. This manipulation causes use of externally-controlled input to select classes or code.
This vulnerability is tracked as CVE-2022-41852. The attack is possible to be carried out remotely. No exploit exists.
Details
A vulnerability classified as problematic was found in JXPath up to 1.3. Affected by this vulnerability is the function JXPathContext. The manipulation with an unknown input leads to a use of externally-controlled input to select classes or code vulnerability. The CWE definition for the vulnerability is CWE-470. The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. As an impact it is known to affect availability. The summary by CVE is:
Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution.
The weakness was disclosed 10/06/2022. It is possible to read the advisory at bugs.chromium.org. This vulnerability is known as CVE-2022-41852. Technical details of the vulnerability are known, but there is no available exploit.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.3
VulDB Base Score: 4.3
VulDB Temp Score: 4.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CNA Base Score: 7.7
CNA Vector (Google Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Use of externally-controlled input to select classes or codeCWE: CWE-470
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
09/30/2022 🔍10/06/2022 🔍
10/06/2022 🔍
10/30/2022 🔍
Sources
Advisory: bugs.chromium.orgStatus: Not defined
CVE: CVE-2022-41852 (🔍)
GCVE (CVE): GCVE-0-2022-41852
GCVE (VulDB): GCVE-100-210187
Entry
Created: 10/06/2022 10:39Updated: 10/30/2022 13:48
Changes: 10/06/2022 10:39 (44), 10/30/2022 13:42 (1), 10/30/2022 13:48 (12)
Complete: 🔍
Cache ID: 216::103
Submit
Duplicate
- Submit #XXXXXX: Xxxxxx Xxxxxxx Xxxxxxxxxxxxx X.* Xxxxxx Xxxx Xxxxxxxxx (by ZAST.AI)
- Submit #XXXXXX: Xxxxxx Xxxxxxx Xxxxxxxxxxxxxx X.* Xxxxxx Xxxx Xxxxxxxxx (by ZAST.AI)
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.