seata CVE-2022-41852 Apache Commons JXPath 安全漏洞

vktxenjb  于 4个月前  发布在  Apache
关注(0)|答案(3)|浏览(130)
  • I have searched the issues of this repository and believe that this is not a duplicate.

Ⅰ. Issue Description

Ⅱ. Describe what happened

If there is an exception, please attach the exception trace:

Just paste your stack trace here!

Ⅲ. Describe what you expected to happen

Ⅳ. How to reproduce it (as minimally and precisely as possible)

Apache JXPath 在解析用户提供的XPath表达式时,若使用了JXPathContext中除compile和compilePath之外的函数来解析XPath表达式时,会导致远程代码执行漏洞。

官方未针对 CVE-2022-41852 Apache Commons JXPath 远程代码执行漏洞发布安全更新。

Minimal yet complete reproducer code (or URL to code):

Ⅴ. Anything else we need to know?

Ⅵ. Environment:

  • JDK version(e.g. java -version ):
  • Seata client/server version:
  • Database version:
  • OS(e.g. uname -a ):
  • Others:
disbfnqx

disbfnqx1#

imported by eureka-client,try to check new version of eureka-client

neekobn8

neekobn82#

seata is not a strong dependency on eureka, so this is not a significant problem.

pes8fvy9

pes8fvy93#

@q343959872 This advisory has been withdrawn due to the CVE being rejected.

相关问题