The testng component's testngXmlExistsInJar function in JarFileUtils.java was found to permit path traversal.
Created testng tracking bugs for this issue: Affects: fedora-all [bug 2185305]