CVE-2022-4065

Name of the Vulnerable Software and Affected Versions cbeust testng versions 7.5.0 through 7.7.0

Description A critical issue affects the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser, leading to path traversal. The attack can be launched remotely, potentially allowing an attacker to execute arbitrary code with a specially crafted zip file. The manipulation is limited to .xml, .yaml, and .yml files by default.

Recommendations For versions 7.5.0, 7.6.0, and 7.6.1, upgrade to version 7.5.1. For version 7.7.0, upgrade to version 7.7.1. As a temporary workaround, consider specifying which tests to run when invoking TestNG by configuring them on the CLI or in the build tool controlling the run. Do not run tests with untrusted JARs on the classpath, including pull requests on open source projects.