org.apache.commons.jxpath_1.3.0.v200911051830.jar (Apache Commons JXPath Vulnerability) #291
Comments
|
I don't think any of the contributors is working on this topic and is likely to fix it soon. Some ideas have been discussed (mainly eclipse-platform/eclipse.platform.ui#423 ), but the chance of seeing those implemented soon are relatively low. Moreover, independently of Eclipse project, the JXPath project itself doesn't seem to have released a fix for that CVE; so there is no available easy fix path. |
|
Here it is marked as rejected: https://nvd.nist.gov/vuln/detail/CVE-2022-41852 If the following produces a new version, we will use that: That would be the place to ask "when can we expect a new jar"? Given that this library is used purely to access the workbench model representation, there is no actual risk of it using arbitrary XPaths from an untrusted source. |
|
Duplicate of eclipse-platform/eclipse.platform.ui#423 |
|
Let's close this as this is a duplicate and continue any discussion in eclipse-platform/eclipse.platform.ui#423. |
As we know there is already CVE assigned to this issue.
CVE-2022-41852: Apache Commons JXPatch is vulnerable to a remote code execution attack.
I would like to know when we can expect new JAR from eclipse side to resolve this CVE reported globally.
Thanks
Akash
The text was updated successfully, but these errors were encountered: