Source: assertj-core Version: 3.26.3-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for assertj-core. CVE-2026-24400[0]: | AssertJ provides Fluent testing assertions for Java and the Java | Virtual Machine (JVM). Starting in version 1.4.0 and prior to | version 3.27.7, an XML External Entity (XXE) vulnerability exists in | `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the | `toXmlDocument(String)` method initializes `DocumentBuilderFactory` | with default settings, without disabling DTDs or external entities. | This formatter is used by the `isXmlEqualTo(CharSequence)` assertion | for `CharSequence` values. An application is vulnerable only when it | uses untrusted XML input with either `isXmlEqualTo(CharSequence)` | from `org.assertj.core.api.AbstractCharSequenceAssert` or | `xmlPrettyFormat(String)` from | `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted | XML input is processed by tone of these methods, an attacker | couldnread arbitrary local files via `file://` URIs (e.g., | `/etc/passwd`, application configuration files); perform Server-Side | Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of | Service via "Billion Laughs" entity expansion attacks. | `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit | in version 3.18.0 and will be removed in version 4.0. Users of | affected versions should, in order of preference: replace | `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version | 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or | `XmlStringPrettyFormatter` with untrusted input. | `XmlStringPrettyFormatter` has historically been considered a | utility for `isXmlEqualTo(CharSequence)` rather than a feature for | AssertJ users, so it is deprecated in version 3.27.7 and removed in | version 4.0, with no replacement. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24400 https://www.cve.org/CVERecord?id=CVE-2026-24400 [1] https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r [2] https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
