CVE-2024-31573
📋 TL;DR
XMLUnit for Java versions before 2.10.0, when using default configuration, may allow remote code execution via untrusted XSLT stylesheets. This occurs because XSLT extension functions are enabled by default, potentially allowing attackers to execute arbitrary code if they control the stylesheet input. Applications processing untrusted XML with XSLT transformations are affected.
💻 Affected Systems
- XMLUnit for Java
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the application processing the XML, potentially leading to complete system compromise.
Likely Case
Limited code execution within the application context, potentially allowing data exfiltration or further privilege escalation.
If Mitigated
No impact if XSLT extension functions are disabled or if only trusted stylesheets are used.
🎯 Exploit Status
Exploitation requires the attacker to control the XSLT stylesheet used in transformations. This typically means they need to supply malicious XML input that includes or references a malicious stylesheet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.10.0
Vendor Advisory: https://github.com/advisories/GHSA-chfm-68vv-pvw5
Restart Required: No
Instructions:
1. Update XMLUnit dependency to version 2.10.0 or later in your project's build configuration (Maven, Gradle, etc.). 2. Rebuild and redeploy your application. 3. No application restart is required if hot deployment is supported.
🔧 Temporary Workarounds
Disable XSLT extension functions
allManually configure XMLUnit to disable XSLT extension functions when creating transformers.
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature("http://xmlunit.org/features/disallow-doctype-decl", true);
factory.setAttribute("http://xmlunit.org/properties/extension-functions", "");
🧯 If You Can't Patch
- Restrict XML input to trusted sources only and validate all stylesheets.
- Implement network segmentation to limit the impact of potential exploitation.
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency management file (pom.xml, build.gradle) for XMLUnit version. If version is below 2.10.0, you are vulnerable.Check Version:
mvn dependency:tree | grep xmlunit OR gradle dependencies | grep xmlunitVerify Fix Applied:
After updating, verify the XMLUnit version in your built application or dependency tree is 2.10.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual Java process spawning, especially from XML processing components
- Errors related to XSLT transformation failures or security exceptions
Network Indicators:
- Unexpected outbound connections from the application server after XML processing
SIEM Query:
source="application.log" AND ("xmlunit" OR "XSLT") AND ("error" OR "exception" OR "security")