N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2024-31573

GHSA ID

GHSA-chfm-68vv-pvw5

EPSS Score

CWE

Published

5/1/2024

Updated

5/1/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-31573

CVE-2024-31573: XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets

Impact

When performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.

Patches

Users are advised to upgrade to XMLUnit for Java 2.10.0 where the default has been changed by means of https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b

Workarounds

XMLUnit's main use-case is performing tests on code that generates or processes XML. Most users will not use it to perform arbitrary XSLT transformations.

Users running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit's APIs to pass in a pre-configured TraX TransformerFactory with extension functions disabled via features and attributes. The required setFactory or setTransformerFactory methods have been available since XMLUnit for Java 2.0.0.

References

Bug Report JAXP Security Guide

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-31573

CVE-2024-31573:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2024-31573

GHSA ID

GHSA-chfm-68vv-pvw5

EPSS Score

CWE

Published

5/1/2024

Updated

5/1/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

vuln_not_found

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xmlunit:xmlunit-core	maven	< 2.10.0	2.10.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure defaults in XMLUnit's XSLT processing configuration. The key evidence is in the commit diff showing the Default instance was modified to add .withExtensionFunctionsDisabled() in 2.10.0. Prior versions used a configuration that only disabled DTD loading .withDTDLoadingDisabled() but left extension functions enabled. This matches the vulnerability description about missing protection against XSLT extension function execution. The Default instance is the primary configuration used for transformations unless explicitly overridden, making it the root cause of the insecure default.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-31573: XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets

Impact

Patches

Workarounds

References

CVE-2024-31573:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Technical Details

CVE-2024-31573: XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI