Miggo Logo
Miggo Vulnerability Database
CVE-2023-26119

CVE-2023-26119: HtmlUnit Code Injection vulnerability

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26119
GHSA ID
GHSA-3xrr-7m6p-p7xh
EPSS Score
0.88285%
CWE
CWE-74
Published
7/6/2023
Updated
12/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
net.sourceforge.htmlunit:htmlunitmaven< 3.0.03.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure XSLT processing where the TransformerFactory wasn't configured with FEATURE_SECURE_PROCESSING. This allowed execution of Java extension functions through XSLT stylesheets. The commit explicitly adds transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) to mitigate this. The PoC demonstrates exploiting this by calling Runtime.getRuntime() through Xalan extensions, which would be blocked when secure processing is enabled.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** `n*t.sour***or**.*tmlunit:*tmlunit` *rom * *n* ***or* *.*.* *r* vuln*r**l* to R*mot* *o** *x**ution (R**) vi* XSTL, w**n *rowsin* t** *tt**k*r’s w**p***.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XSLT pro**ssin* w**r* t** Tr*ns*orm*r***tory w*sn't *on*i*ur** wit* ***TUR*_S**UR*_PRO**SSIN*. T*is *llow** *x**ution o* J*v* *xt*nsion *un*tions t*rou** XSLT styl*s***ts. T** *ommit *xpli*itly ***s tr*ns*orm*r**