CVE-2022-41852 in commons-jxpath-1.3

[RunFox]

Hello. There is CVE-2022-41852 with high level risk in commons-jxpath-1.3. This library is transitive for com.netflix.eureka:eureka-client:1.10.17
Any patch?

[ralberts]

I am looking into a solution for this as well.

[spencergibb]

My guess is that eureka is not vulnerable to "untrusted XPath expressions may be vulnerable to a remote code execution", because it doesn't allow any untrusted XPath expressions

[habelson]

For those who are interested, there appears to be interesting discussion about this issue here:
apache/commons-jxpath#25
apache/commons-jxpath#26