Code Injection in xmlunit

#VU94755 Code Injection in xmlunit

Published: 2024-07-26

Vulnerability identifier: #VU94755

Vulnerability risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-31573

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
xmlunit
Other software / Other software solutions

Vendor: XMLUnit

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to XMLUnit for Java does not disable XSLT extension functions by default when performing XSLT transformations. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

xmlunit: 2.0.0 - 2.9.1

External links
http://www.ibm.com/support/pages/node/7157514

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

IBM Watson Assistant for IBM Cloud Pak for Data update for XMLUnit for Java

Multiple vulnerabilities in IBM Cloud Pak for Network Automation

Code injection in IBM App Connect Enterprise

Code Injection in XMLUnit xmlunit