org.apache.commons.jxpath_1.3.0.v200911051830.jar (Apache Commons JXPath Vulnerability)

[akapoor12]

As we know there is already CVE assigned to this issue.

CVE-2022-41852: Apache Commons JXPatch is vulnerable to a remote code execution attack.

I would like to know when we can expect new JAR from eclipse side to resolve this CVE reported globally.

Thanks
Akash

[mickaelistria]

I don't think any of the contributors is working on this topic and is likely to fix it soon. Some ideas have been discussed (mainly eclipse-platform/eclipse.platform.ui#423 ), but the chance of seeing those implemented soon are relatively low. Moreover, independently of Eclipse project, the JXPath project itself doesn't seem to have released a fix for that CVE; so there is no available easy fix path.
Do you think you could contribute a fix?

[merks]

Here it is marked as rejected:

https://nvd.nist.gov/vuln/detail/CVE-2022-41852

If the following produces a new version, we will use that:

apache/commons-jxpath#26

That would be the place to ask "when can we expect a new jar"?

Given that this library is used purely to access the workbench model representation, there is no actual risk of it using arbitrary XPaths from an untrusted source.

[HannesWell]

Duplicate of eclipse-platform/eclipse.platform.ui#423

[HannesWell]

Let's close this as this is a duplicate and continue any discussion in eclipse-platform/eclipse.platform.ui#423.