You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.
Vulnerable Library - spring-boot-starter-test-3.3.2.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-31573
Vulnerable Library - xmlunit-core-2.9.1.jar
XMLUnit for Java
Library home page: https://www.xmlunit.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
Dependency Hierarchy:
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Found in base branch: main
Vulnerability Details
When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.
Publish Date: 2024-12-05
URL: CVE-2024-31573
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-chfm-68vv-pvw5
Release Date: 2024-04-05
Fix Resolution: org.xmlunit:xmlunit-core:2.10.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: