A vulnerability was found in cbeust testng. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. A patch is available in version 7.7.0 at commit 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to apply a patch to fix this issue. The patch was pushed into the master branch but no releases have yet been made with the patch included.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-4065
- https://github.com/cbeust/testng/pull/2806
- https://github.com/cbeust/testng/commit/9150736cd2c123a6a3b60e6193630859f9f0422b
- https://vuldb.com/?id.214027
- https://github.com/cbeust/testng/releases/tag/7.7.0
- https://github.com/advisories/GHSA-rc2q-x9mf-w3vf