Insecure Default Variable Initialization Affecting org.xmlunit:xmlunit-core package, versions [,2.10.0)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Insecure Default Variable Initialization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGXMLUNIT-6751676
- published2 May 2024
- disclosed1 May 2024
- creditc1gar
Introduced: 1 May 2024
CVE-2024-31573 (opens in a new tab)How to fix?
Upgrade org.xmlunit:xmlunit-core to version 2.10.0 or higher.
Overview
Affected versions of this package are vulnerable to Insecure Default Variable Initialization in the TransformerFactory class, which allows execution of extension functions by default, when processing XSLT stylesheets.
Most uses of the vulnerable package will be in testing of internal and trusted XML-handling code, and not performing XSLT transformations, so this vulnerability is unlikely to be exposed by an application.
Workaround
This vulnerability can be avoided by configuring TransformerFactory instances to disable extension functions using the setFactory or setTransformerFactory methods.
PoC
import org.xmlunit.transform.Transformation;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
public class xmlunit_test {
public static void main(String[] args) {
Transformation transformation = new Transformation();
Source xml = new StreamSource("1.xml");;
transformation.setSource(xml);
Source xsl = new StreamSource("1.xsl");;
transformation.setStylesheet(xsl);
Result result = new StreamResult("output.xml");;
transformation.transformTo(result);
}
}