net.sourceforge.htmlunit:htmlunit@2.19 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the net.sourceforge.htmlunit:htmlunit package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

net.sourceforge.htmlunit:htmlunit is a GUI-Less browser for Java programs

Affected versions of this package are vulnerable to Denial of Service (DoS). If HtmlUnit runs on user-supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow.

Note:

In case the payload is sent to an API endpoint which accepts user-supplied input without sanitization or validation, it is possible to trigger this vulnerability without user interaction.

How to fix Denial of Service (DoS)?

Upgrade net.sourceforge.htmlunit:htmlunit to version 2.70.0 or higher.

[,2.70.0)
  • C
Remote Code Execution (RCE)

net.sourceforge.htmlunit:htmlunit is a GUI-Less browser for Java programs

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.

Note: Users are advised to upgrade to org.htmlunit:htmlunit component v3.0.0 as it contains a fix for this issue.

How to fix Remote Code Execution (RCE)?

A fix was pushed into the master branch but not yet published.

[0,)
  • M
Remote Code Execution (RCE)

net.sourceforge.htmlunit:htmlunit is a GUI-Less browser for Java programs

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It initializes Rhino engine improperly, hence a malicious JavaScript code can execute arbitrary Java code on the application.

How to fix Remote Code Execution (RCE)?

Upgrade net.sourceforge.htmlunit:htmlunit to version 2.37.0 or higher.

[,2.37.0)