Описание
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values. An application is vulnerable only when it uses untrusted XML input with either isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert or xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace isXmlEqualTo(CharSequence) with XMLUnit, upgrade to version 3.27.7, or avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input. XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
A flaw was found in AssertJ. An XML External Entity (XXE) vulnerability exists in the XmlStringPrettyFormatter component, which is used by the isXmlEqualTo(CharSequence) assertion. If an application processes untrusted XML input using these methods, a remote attacker could exploit this flaw to read arbitrary local files, perform Server-Side Request Forgery (SSRF) by making the server request arbitrary URLs, or cause a Denial of Service (DoS) through entity expansion attacks.
Отчет
Exploitation of this vulnerability requires that a user processes untrusted content with the affected package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| AMQ Clients | assertj-core | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-dispatcher-rhel9 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-receiver-rhel9 | Fix deferred | ||
| Red Hat AMQ Broker 7 | assertj-core | Fix deferred | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | assertj-core | Fix deferred | ||
| Red Hat build of Apache Camel for Spring Boot 4 | assertj-core | Fix deferred | ||
| Red Hat build of Apache Camel - HawtIO 4 | assertj-core | Fix deferred | ||
| Red Hat build of Apicurio Registry 3 | assertj-core | Fix deferred | ||
| Red Hat build of Debezium 2 | assertj-core | Fix deferred | ||
| Red Hat build of Debezium 3 | assertj-core | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause D...
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Deni
AssertJ provides Fluent testing assertions for Java and the Java Virtu ...
6.1 Medium
CVSS3