VYPR
← All advisories
High severityNVD Advisory· Published Nov 19, 2022· Updated Aug 3, 2024

cbeust testng XML File Parser JarFileUtils.java testngXmlExistsInJar path traversal

CVE-2022-4065

Description

A vulnerability was found in cbeust testng 7.5.0/7.6.0/7.6.1/7.7.0. It has been declared as critical. Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 7.5.1 and 7.7.1 is able to address this issue. The patch is named 9150736cd2c123a6a3b60e6193630859f9f0422b. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-214027.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal vulnerability in TestNG's XML parser allows remote attackers to read arbitrary files.

Root

Cause The vulnerability resides in the function testngXmlExistsInJar in testng-core/src/main/java/org/testng/JarFileUtils.java. The function does not properly sanitize file paths, allowing an attacker to traverse directories and access files outside the intended scope [1]. This is a classic path traversal flaw.

Exploitation

An attacker can exploit this vulnerability remotely by supplying a crafted XML file that triggers the vulnerable code path. No authentication is required, making the attack surface broad [1]. The specific attack vector involves manipulating the input to testngXmlExistsInJar, which is part of the XML file parsing component [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the system, potentially leading to disclosure of sensitive information such as configuration files, source code, or credentials [1]. The vulnerability is rated as critical with a CVSS score indicating high severity.

Mitigation

The vulnerability has been patched in TestNG versions 7.5.1 and 7.7.1 [3][4]. Users are strongly recommended to upgrade to these versions or later. The patch commit is 9150736cd2c123a6a3b60e6193630859f9f0422b [1].

References
  1. NVD - CVE-2022-4065
  2. Release TestNG v7.7.0 · testng-team/testng
  3. Release TestNG v7.7.1 · testng-team/testng

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.testng:testngMaven
>= 6.13, < 7.5.17.5.1
org.testng:testngMaven
>= 7.6.0, < 7.7.07.7.0

Affected products

42

Patches

1
9150736cd2c1

Merge pull request #2806 from BulkSecurityGeneratorProjectV2/fix/JLL/zip-slip-vulnerability

https://github.com/cbeust/testngJulien HerrOct 4, 2022via ghsa
commit
1 file changed · +3 0
  • testng-core/src/main/java/org/testng/JarFileUtils.java+3 0 modified
    @@ -76,6 +76,9 @@ private boolean testngXmlExistsInJar(File jarFile, List<String> classes) throws
         if (Parser.canParse(jeName.toLowerCase())) {
           InputStream inputStream = jf.getInputStream(je);
           File copyFile = new File(file, jeName);
+          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
+            throw new IOException("Bad zip entry");
+          }
           copyFile.getParentFile().mkdirs();
           Files.copy(inputStream, copyFile.toPath());
           if (matchesXmlPathInJar(je)) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.