Bug 2252942 (CVE-2023-49093) - CVE-2023-49093 htmlunit: Feature for secure processing disabled in the XSLT processor
Summary: CVE-2023-49093 htmlunit: Feature for secure processing disabled in the XSLT p...
Keywords:
Status: NEW
Alias: CVE-2023-49093
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2252943
TreeView+ depends on / blocked
 
Reported: 2023-12-05 11:31 UTC by Pedro Sampaio
Modified: 2024-05-03 18:49 UTC (History)
66 users (show)

Fixed In Version: htmlunit 3.9.0
Doc Type: ---
Doc Text:
A flaw was found in HTMLUnit. Fetching external resources may be possible for XSLT processors with the Feature for Secure Processing disabled (FSP), allowing code injection and arbitrary code execution. HTMLUnit is vulnerable to this type of attack by default.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2023-12-05 11:31:20 UTC 
HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage. This vulnerability has been patched in version 3.9.0

References:

https://github.com/HtmlUnit/htmlunit/security/advisories/GHSA-37vq-hr2f-g7h7
https://www.htmlunit.org/changes-report.html#a3.9.0
Note You need to log in before you can comment on or make changes to this bug.