CVE-2022-4065
Path Traversal vulnerability in testng (Maven)
What is CVE-2022-4065 About?
This vulnerability is a path traversal issue within the TestNG XML File Parser, allowing access to `.xml`, `.yaml`, and `.yml` files. Its impact is limited unless combined with other vulnerabilities, as running an unsafe JAR is a prerequisite. Exploiting this directly for significant impact is considered unlikely due to the nature of the attack vector.
Affected Software
- org.testng:testng
- >7.6.0, <7.7.0
- >6.13, <7.5.1
Technical Details
The vulnerability resides in the testngXmlExistsInJar function within testng-core/src/main/java/org/testng/JarFileUtils.java. This function, part of the XML File Parser component, incorrectly handles paths, leading to path traversal. While the traversal primarily affects .xml, .yaml, and .yml file types by default, it requires the execution of an unsafe test JAR file. The core mechanism is a flaw in how file paths are resolved or validated within the JAR file context, allowing an attacker to specify a path that escapes the intended directory, thus accessing other files. However, the requirement of running an untrusted JAR means the path traversal itself is often secondary to the potential for direct code execution via the JAR.
What is the Impact of CVE-2022-4065?
Successful exploitation may allow attackers to access sensitive configuration files or other data stored in `.xml`, `.yaml`, or `.yml` formats outside the intended directory, potentially leading to information disclosure or further compromise.
What is the Exploitability of CVE-2022-4065?
Exploitation of this vulnerability requires a moderate level of complexity. The primary prerequisite is that an attacker must be able to supply and persuade a user or system to execute an "unsafe test JAR." This implies a social engineering component or a prior compromise allowing for JAR file injection. There are no explicit authentication or privilege requirements mentioned for the path traversal itself, but the act of running an untrusted JAR would likely require some form of execution privilege. This is a local exploitation scenario, as the JAR needs to be executed within the target environment. A significant constraint is that the path traversal is limited to specific file extensions by default. The risk factors increase if the application frequently processes untrusted JAR files or if there are insufficient controls around what JAR files can be executed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2022-4065 |
What are the Available Fixes for CVE-2022-4065?
Available Upgrade Options
- org.testng:testng
- >6.13, <7.5.1 → Upgrade to 7.5.1
- org.testng:testng
- >7.6.0, <7.7.0 → Upgrade to 7.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/cbeust/testng/commit/9150736cd2c123a6a3b60e6193630859f9f0422b
- https://vuldb.com/?ctiid.214027
- https://github.com/cbeust/testng/releases/tag/7.7.0
- https://vuldb.com/?id.214027
- https://github.com/cbeust/testng/pull/1596
- https://osv.dev/vulnerability/GHSA-rc2q-x9mf-w3vf
- https://github.com/cbeust/testng/releases/tag/7.7.1
- https://github.com/cbeust/testng
- https://github.com/testng-team/testng/releases/tag/7.5.1
- https://github.com/testng-team/testng/pull/2899
What are Similar Vulnerabilities to CVE-2022-4065?
Similar Vulnerabilities: CVE-2023-2751 , CVE-2023-34038 , CVE-2023-45803 , CVE-2023-38644 , CVE-2023-28432
