Bug 2404780 (CVE-2024-31573)
| Summary: | CVE-2024-31573 org.xmlunit/xmlunit-core: XMLUnit Insecure Defaults when Processing XSLT Stylesheets | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abrianik, aschwart, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, ccranfor, chfoley, darran.lofthouse, dbruscin, dhanak, dkreling, dosoudil, drosa, eric.wittmann, fmariani, ggrzybek, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jpechane, jrokos, jross, kvanderr, kverlaen, mnovotny, mosmerov, mposolda, msochure, msvehla, nipatil, nwallace, pantinor, parichar, pbizzarr, pdelbell, pesilva, pjindal, pmackay, rkubis, rmartinc, rstancel, rstepani, sausingh, smaestri, ssilvert, sthorger, swoodman, tasato, tcunning, tom.jenkinson, vmuzikar, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
When performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution in the context of the java application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2404850, 2404851, 2404852 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-10-17 19:02:00 UTC
|