xmlunit icon indicating copy to clipboard operation
xmlunit copied to clipboard
verified publisher icon xmlunit

XMLUnit2 has an RCE vulnerability caused by XSLT

Open c1gar opened this issue 1 year ago • 0 comments

pom.xml

<dependency>
			<groupId>org.xmlunit</groupId>
			<artifactId>xmlunit-core</artifactId>
			<version>2.9.1</version>
</dependency>

poc

import org.xmlunit.transform.Transformation;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;

public class xmlunit_test {
    public static void main(String[] args) {
        Transformation transformation = new Transformation();
        Source xml = new StreamSource("1.xml");;
        transformation.setSource(xml);
        Source xsl = new StreamSource("1.xsl");;
        transformation.setStylesheet(xsl);
        Result result = new StreamResult("output.xml");;
        transformation.transformTo(result);
    }
}

217401710127739_ pic

There is no function for setting security parameters in org.xmlunit.transform.Transformation, and the default security parameters do not include defense against XSLT vulnerabilities. And I would like to emphasize that XSLT vulnerabilities and XXE vulnerabilities are completely different types of vulnerabilities. XSLT vulnerabilities belong to CWE-94 type, while XXE vulnerabilities belong to CWE-611. For more details, please refer to [CVE-2017-7465](https://nvd.nist.gov/vuln/detail/CVE-2017-7465).

c1gar avatar Mar 11 '24 03:03 c1gar