How to fix vulnerability(CVE-2022-34169) in selenium:htmlunit-driver:3.62.0. It is coming from Xalan Java » 2.7.2 as a direct vulnerability

Question

How to fix vulnerability(CVE-2022-34169) in selenium:htmlunit-driver:3.62.0. It is coming from Xalan Java » 2.7.2 as a direct vulnerability

we are using org.seleniumhq.selenium:htmlunit-driver:3.62.0 in our karate framework. Whitesource scan is catching this vulnerability which is coming from xalan

2.7.2 is the latest version for Xalan and we don't have any newer version. Is there a way to fix it?

Any help would be appreciated

Answer 1

There is no specific fix available at this time that I know of, but you may try to mitigate the vulnerability by using a different version of the selenium:htmlunit-driver.

NOTE: Fixed releases are not expected for the Apache Xalan project, which is being retired. Since this package is vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This will allow attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Therefore you may consider alternatives like Apache Santuarioand interSystem IRIS, The latter being the best alternative.