Google Inc. CWE-470

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid.

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 [Exploit, Issue Tracking, Third Party Advisory]

Google Inc. AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

C-No limiting factors

I-No limiting factors

PR-No privileges needed

S-Unclear if Scope change occurs

Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution.

** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid.

OR
     *cpe:2.3:a:apache:commons_jxpath:*:*:*:*:*:*:*:* versions up to (including) 1.3

NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NIST CWE-470

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 No Types Assigned

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 Exploit, Issue Tracking, Third Party Advisory