How to fix vulnerability(CVE-2022-34169) in selenium:htmlunit-driver:3.62.0. It is coming from Xalan Java » 2.7.2 as a direct vulnerability

Question

we are using org.seleniumhq.selenium:htmlunit-driver:3.62.0 in our karate framework. Whitesource scan is catching this vulnerability which is coming from xalan

2.7.2 is the latest version for Xalan and we don't have any newer version. Is there a way to fix it?

Any help would be appreciated

There are a number of packages that are affected by this. There was some discussion of issues associated with fixing the CVE on https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8, but there have not been any updates in a couple of weeks. — Eric Schoen, Aug 12 '22 at 13:16

score 0 · Answer 1 · answered Aug 04 '22 at 13:59

There is no specific fix available at this time that I know of, but you may try to mitigate the vulnerability by using a different version of the selenium:htmlunit-driver.

NOTE: Fixed releases are not expected for the Apache Xalan project, which is being retired. Since this package is vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This will allow attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Therefore you may consider alternatives like Apache Santuarioand interSystem IRIS, The latter being the best alternative.

How to fix vulnerability(CVE-2022-34169) in selenium:htmlunit-driver:3.62.0. It is coming from Xalan Java » 2.7.2 as a direct vulnerability

1 Answers1