Bug 2252942 (CVE-2023-49093)
| Summary: | CVE-2023-49093 htmlunit: Feature for secure processing disabled in the XSLT processor | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, fjuma, fmongiar, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jmartisk, jnethert, jrokos, jscholz, kverlaen, lgao, lthon, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rjohnson, rowaters, rruss, rstancel, rsvoboda, sbiarozk, smaestri, sthorger, swoodman, tom.jenkinson, tqvarnst |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | htmlunit 3.9.0 | Doc Type: | --- |
| Doc Text: |
A flaw was found in HTMLUnit. Fetching external resources may be possible for XSLT processors with the Feature for Secure Processing disabled (FSP), allowing code injection and arbitrary code execution. HTMLUnit is vulnerable to this type of attack by default.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2252943 | ||
|
Description
Pedro Sampaio
2023-12-05 11:31:20 UTC
|