Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-4065 #2999

Closed
jackstuard opened this issue Oct 24, 2023 · 2 comments
Closed

CVE-2022-4065 #2999

jackstuard opened this issue Oct 24, 2023 · 2 comments

Comments

@jackstuard
Copy link

TestNG Version

7.8.0

We are using Dependency Track to manage our dependencies, and it mentions that TestNG 7.8.0 is vulnerable (CVE-2022-4065).
Is this analyzed and confirmed as a fake positive by the team?
Here is an overview and references:

Overview
A vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 7.5.1 and 7.7.1 is able to address this issue. The patch is named 9150736. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-214027.

References
9150736
#2806
https://vuldb.com/?id.214027
https://vuldb.com/?ctiid.214027
https://github.com/cbeust/testng/releases/tag/7.7.1
@krmahadevan
Copy link
Member

This was already fixed in 7.7.1 Please see release notes https://github.com/testng-team/testng/releases/tag/7.7.0

@krmahadevan
Copy link
Member

Please see below screenshot from mvnrepository.com

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krmahadevan @jackstuard