Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] #9
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/maven-org.assertj-assertj-core-vulnerability"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
3.24.2→3.27.7AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
CVE-2026-24400 / GHSA-rqfh-9r24-8c9r
More information
Details
An XML External Entity (XXE) vulnerability exists in
org.assertj.core.util.xml.XmlStringPrettyFormatter: thetoXmlDocument(String)method initializesDocumentBuilderFactorywith default settings, without disabling DTDs or external entities. This formatter is used by theisXmlEqualTo(CharSequence)assertion forCharSequencevalues.An application is vulnerable only when it uses untrusted XML input with one of the following methods:
isXmlEqualTo(CharSequence)fromorg.assertj.core.api.AbstractCharSequenceAssertxmlPrettyFormat(String)fromorg.assertj.core.util.xml.XmlStringPrettyFormatterImpact
If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:
file://URIs (e.g.,/etc/passwd, application configuration files)Mitigation
isXmlEqualTo(CharSequence)has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:isXmlEqualTo(CharSequence)with XMLUnit, orisXmlEqualTo(CharSequence)orXmlStringPrettyFormatterwith untrusted input.XmlStringPrettyFormatterhas historically been considered a utility forisXmlEqualTo(CharSequence)rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.References
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.
a28cea5df7tod55da4d86eEdited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.