[SmartClient is not vulnerable] Very High Vulnerability reported in commons-jxpath-1.3.jar which is a transitive dependency used in smartclient

svancha

Registered Developer

Join Date: Apr 2020
Posts: 5

[SmartClient is not vulnerable] Very High Vulnerability reported in commons-jxpath-1.3.jar which is a transitive dependency used in smartclient

11 Nov 2022, 13:26

Hi,

We have a very high vulnerability which is mentioned below reported in commons-jxpath-1.3.jar which is a transitive dependency used by smartclient. Could you please suggest on how to resolve it as we don't have a latest version of commons-jxpath other than 1.3.

Details

CVE-2022-41852
|
CWE-470
Remote Code Execution (RCE): commons-jxpath is vulnerable to remote code execution. The vulnerability exists in `selectSingleNode` function in `JXPathContext.java` where the attacker can use the xpath expression to load any java class from the classpath which will lead to a code execution.

Last edited by Isomorphic; 11 Nov 2022, 13:33.

Tags: None

Isomorphic

Administrator

Join Date: May 2006

Posts: 53964
#2

11 Nov 2022, 13:32

We have already responded to several customers on this: this does not apply to SmartClient. This vulnerability assumes end-user-specified JXPaths, whereas in SmartClient all JXPaths are developer-specified.

No remediation steps are required because there is no vulnerability.

Note that, of course, if your application code directly uses JXPath (not via SmartClient) and passes in end-user-specified XPaths, you would be vulnerable.
Comment

Previous template Next

Announcement

[SmartClient is not vulnerable] Very High Vulnerability reported in commons-jxpath-1.3.jar which is a transitive dependency used in smartclient

Comment