Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-rc2q-x9mf-w3vf

TestNG is vulnerable to Path Traversal
Back to all
CVE

GHSA-rc2q-x9mf-w3vf

TestNG is vulnerable to Path Traversal

Impact

Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser.

The manipulation leads to path traversal only for .xml.yaml and .yml files by default. The attack implies running an unsafe test JAR. However since that JAR can also contain executable code itself, the path traversal is unlikely to be the main attack.

Patches

A patch is available in version 7.7.0 at commit 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to apply a patch to fix this issue. The patch was pushed into the master branch but no releases have yet been made with the patch included.

A backport of the fix is available in [version 7.5.1]((https://github.com/cbeust/testng/releases/tag/7.5.1) for Java 8 projects.

Workaround

  • Specify which tests to run when invoking TestNG by configuring them on the CLI or in the build tool controlling the run.
  • Do not run tests with untrusted JARs on the classpath, this includes pull requests on open source projects.

Package Versions Affected

Package Version
patch Availability
org.testng:testng 7.6.1
Available
Unavailable

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
5.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
C
H
U
7.8
-
3.1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-4065, https://github.com/cbeust/testng/pull/1596, https://github.com/cbeust/testng/pull/2806, https://github.com/testng-team/testng/pull/2899, https://github.com/cbeust/testng/commit/9150736cd2c123a6a3b60e6193630859f9f0422b, https://github.com/cbeust/testng, https://github.com/cbeust/testng/releases/tag/7.7.0, https://github.com/cbeust/testng/releases/tag/7.7.1, https://github.com/testng-team/testng/releases/tag/7.5.1, https://vuldb.com/?ctiid.214027, https://vuldb.com/?id.214027

Severity

7.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.8
EPSS Probability
0.00451%
EPSS Percentile
0.63112%
Introduced Version
6.13,7.6.0,4.4.7
Fix Available
7.5.1,7.7.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading