#VU74202 Path traversal in TestNG - CVE-2022-4065

Cybersecurity Help s.r.o.

Published: 2023-03-30

Vulnerability identifier: #VU74202

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-4065

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
TestNG
Universal components / Libraries / Software for developers

Vendor: Testng Project

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the testngXmlExistsInJar() function in testng-core/src/main/java/org/testng/JarFileUtils.java of the XML File Parser component. A remote attacker can pass specially crafted XML file to the application and overwrite arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

TestNG: 6.9.7 - 7.6.1

External links
https://github.com/cbeust/testng/commit/9150736cd2c123a6a3b60e6193630859f9f0422b
https://github.com/cbeust/testng/pull/2806
https://vuldb.com/?id.214027

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for mockito, snakeyaml, testng

openapi-generator update for TestNG

openEuler update for testng

Anolis OS update for testng

Multiple vulnerabilities in IBM UrbanCode Build

SUSE update for testng

Path traversal in TestNG testing framework