path: /en/oss/XMLUnit | #

XMLUnit for Java's Transform's default transformation allowed the use of XSLT extension functions - this has been changed in 2.10.0.

If you've been using XMLUnit to run XSLT transformations with untrusted stylesheets and your setup is so that an attacker can chose the stylesheet and ensure your XSLT processor can run the extensions this may lead to a remote code execution in the worst setup. Therefore the old default has been assigned CVE-2024-31573.

Some XSLT processors - e.g. Apache Xalan - allow the extension code to be specified inline with an Apache BSF enabled scripting language - note that would require your code executing the transformation to also have BSF around. In outher cases your transformation would need to allow the attacker to also inject Java classes into your running process. This combined with my believe that XMLUnit is very unlikely to be run in a setup like this made me set the impact to "Low".

Advisory: https://github.com/xmlunit/xmlunit/security/advisories/GHSA-chfm-68vv-pvw5

path: /en/oss/XMLUnit | #

path: /en/oss/XMLUnit | #

I've just released a small minor release of XMLUnit.NET that fixes a bug with whitespace normalization/stripping and adds a small feature simplifying the use of NodeFilters.

Full list of changes:

path: /en/oss/XMLUnit | #

Full list of changes:

path: /en/oss/XMLUnit | #