Vulnerability-Lookup

CVE-2024-31573 (GCVE-0-2024-31573)

Vulnerability from cvelistv5 – Published: 2025-10-17 00:00 – Updated: 2025-10-17 19:04

Summary

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

Severity

4 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-669 - Incorrect Resource Transfer Between Spheres

Assigner

mitre

References

3 references

URL	Tags
https://github.com/advisories/GHSA-chfm-68vv-pvw5
https://github.com/xmlunit/xmlunit/issues/264
https://github.com/xmlunit/xmlunit/commit/b81d48b…

Impacted products

1 product

Vendor	Product	Version
XMLUnit	XMLUnit for Java	Affected: 2.0.0 , < 2.10.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-31573",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-17T19:03:35.746491Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-17T19:04:05.637Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/xmlunit/xmlunit/issues/264"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "XMLUnit for Java",
          "vendor": "XMLUnit",
          "versions": [
            {
              "lessThan": "2.10.0",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-669",
              "description": "CWE-669 Incorrect Resource Transfer Between Spheres",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-17T18:38:55.242Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/advisories/GHSA-chfm-68vv-pvw5"
        },
        {
          "url": "https://github.com/xmlunit/xmlunit/issues/264"
        },
        {
          "url": "https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-31573",
    "datePublished": "2025-10-17T00:00:00.000Z",
    "dateReserved": "2024-04-05T00:00:00.000Z",
    "dateUpdated": "2025-10-17T19:04:05.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-31573",
      "date": "2026-05-25",
      "epss": "0.00036",
      "percentile": "0.10904"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-31573\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-10-17T19:15:36.627\",\"lastModified\":\"2025-10-21T19:31:50.020\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.4,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-669\"}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-chfm-68vv-pvw5\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/xmlunit/xmlunit/issues/264\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/xmlunit/xmlunit/issues/264\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-31573\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-17T19:03:35.746491Z\"}}}], \"references\": [{\"url\": \"https://github.com/xmlunit/xmlunit/issues/264\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-17T19:03:52.228Z\"}}], \"cna\": {\"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"XMLUnit\", \"product\": \"XMLUnit for Java\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0\", \"lessThan\": \"2.10.0\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://github.com/advisories/GHSA-chfm-68vv-pvw5\"}, {\"url\": \"https://github.com/xmlunit/xmlunit/issues/264\"}, {\"url\": \"https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b\"}], \"x_generator\": {\"engine\": \"enrichogram 0.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-669\", \"description\": \"CWE-669 Incorrect Resource Transfer Between Spheres\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2025-10-17T18:38:55.242Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-31573\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-17T19:04:05.637Z\", \"dateReserved\": \"2024-04-05T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2025-10-17T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

cleanstart-2026-ia43044

Vulnerability from cleanstart

Published

2026-04-01 09:30

Modified

2026-03-23 07:56

Summary

Security fixes for CVE-2020-8908, CVE-2022-42889, CVE-2023-2976, CVE-2024-25710, CVE-2024-26308, CVE-2024-29371, CVE-2024-29857, CVE-2024-30171, CVE-2024-31573, CVE-2024-47554, CVE-2025-11143, CVE-2025-12383, CVE-2025-48734, CVE-2025-48924, CVE-2025-58057, CVE-2025-67735, CVE-2025-68161, CVE-2025-8916, CVE-2026-1002, CVE-2026-1605, ghsa-72hv-8253-57qq applied in versions: 0.47.0-r2, 0.47.0-r3

Details

Multiple security vulnerabilities affect the strimzi-kafka-operator package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2020-8908	WEB
	https://osv.dev/vulnerability/CVE-2022-42889	WEB
	https://osv.dev/vulnerability/CVE-2023-2976	WEB
	https://osv.dev/vulnerability/CVE-2024-25710	WEB
	https://osv.dev/vulnerability/CVE-2024-26308	WEB
	https://osv.dev/vulnerability/CVE-2024-29371	WEB
	https://osv.dev/vulnerability/CVE-2024-29857	WEB
	https://osv.dev/vulnerability/CVE-2024-30171	WEB
	https://osv.dev/vulnerability/CVE-2024-31573	WEB
	https://osv.dev/vulnerability/CVE-2024-47554	WEB
	https://osv.dev/vulnerability/CVE-2025-11143	WEB
	https://osv.dev/vulnerability/CVE-2025-12383	WEB
	https://osv.dev/vulnerability/CVE-2025-48734	WEB
	https://osv.dev/vulnerability/CVE-2025-48924	WEB
	https://osv.dev/vulnerability/CVE-2025-58057	WEB
	https://osv.dev/vulnerability/CVE-2025-67735	WEB
	https://osv.dev/vulnerability/CVE-2025-68161	WEB
	https://osv.dev/vulnerability/CVE-2025-8916	WEB
	https://osv.dev/vulnerability/CVE-2026-1002	WEB
	https://osv.dev/vulnerability/CVE-2026-1605	WEB
	https://osv.dev/vulnerability/ghsa-72hv-8253-57qq	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-8908	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-42889	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-2976	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-25710	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-26308	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-29371	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-29857	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-30171	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-31573	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-47554	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-11143	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-12383	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-48734	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-48924	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-58057	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-67735	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-68161	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-8916	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1002	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1605	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "strimzi-kafka-operator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.47.0-r3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the strimzi-kafka-operator package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-IA43044",
  "modified": "2026-03-23T07:56:09Z",
  "published": "2026-04-01T09:30:15.088429Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-IA43044.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-8908"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-42889"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-2976"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-25710"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-26308"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-29371"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-29857"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-30171"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-31573"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-47554"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-11143"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-12383"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-48734"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-48924"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-58057"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-67735"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-68161"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-8916"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1002"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1605"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-72hv-8253-57qq"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26308"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29371"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30171"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31573"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11143"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12383"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48734"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58057"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67735"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68161"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8916"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1002"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1605"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2020-8908, CVE-2022-42889, CVE-2023-2976, CVE-2024-25710, CVE-2024-26308, CVE-2024-29371, CVE-2024-29857, CVE-2024-30171, CVE-2024-31573, CVE-2024-47554, CVE-2025-11143, CVE-2025-12383, CVE-2025-48734, CVE-2025-48924, CVE-2025-58057, CVE-2025-67735, CVE-2025-68161, CVE-2025-8916, CVE-2026-1002, CVE-2026-1605, ghsa-72hv-8253-57qq applied in versions: 0.47.0-r2, 0.47.0-r3",
  "upstream": [
    "CVE-2020-8908",
    "CVE-2022-42889",
    "CVE-2023-2976",
    "CVE-2024-25710",
    "CVE-2024-26308",
    "CVE-2024-29371",
    "CVE-2024-29857",
    "CVE-2024-30171",
    "CVE-2024-31573",
    "CVE-2024-47554",
    "CVE-2025-11143",
    "CVE-2025-12383",
    "CVE-2025-48734",
    "CVE-2025-48924",
    "CVE-2025-58057",
    "CVE-2025-67735",
    "CVE-2025-68161",
    "CVE-2025-8916",
    "CVE-2026-1002",
    "CVE-2026-1605",
    "ghsa-72hv-8253-57qq"
  ]
}

FKIE_CVE-2024-31573

Vulnerability from fkie_nvd - Published: 2025-10-17 19:15 - Updated: 2026-04-15 00:35

Severity

4.0 (Medium) - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

References

	URL	Tags
	cve@mitre.org	https://github.com/advisories/GHSA-chfm-68vv-pvw5
	cve@mitre.org	https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b
	cve@mitre.org	https://github.com/xmlunit/xmlunit/issues/264
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/xmlunit/xmlunit/issues/264

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled."
    }
  ],
  "id": "CVE-2024-31573",
  "lastModified": "2026-04-15T00:35:42.020",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.4,
        "impactScore": 2.5,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-17T19:15:36.627",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/advisories/GHSA-chfm-68vv-pvw5"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/xmlunit/xmlunit/issues/264"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/xmlunit/xmlunit/issues/264"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-669"
        }
      ],
      "source": "cve@mitre.org",
      "type": "Secondary"
    }
  ]
}

GHSA-CHFM-68VV-PVW5

Vulnerability from github – Published: 2024-05-01 16:40 – Updated: 2024-05-01 16:40

Summary

XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets

Details

Impact

When performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.

Patches

Users are advised to upgrade to XMLUnit for Java 2.10.0 where the default has been changed by means of https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b

Workarounds

XMLUnit's main use-case is performing tests on code that generates or processes XML. Most users will not use it to perform arbitrary XSLT transformations.

Users running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit's APIs to pass in a pre-configured TraX TransformerFactory with extension functions disabled via features and attributes. The required setFactory or setTransformerFactory methods have been available since XMLUnit for Java 2.0.0.

References

Bug Report JAXP Security Guide

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xmlunit:xmlunit-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.10.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31573"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-01T16:40:01Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nWhen performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who\u0027s source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.\n\n## Patches\nUsers are advised to upgrade to XMLUnit for Java 2.10.0 where the default has been changed by means of https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b\n\n### Workarounds\nXMLUnit\u0027s main use-case is performing tests on code that generates or processes XML. Most users will not use it to perform arbitrary XSLT transformations.\n\nUsers running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit\u0027s APIs to pass in a pre-configured TraX `TransformerFactory` with extension functions disabled via features and attributes. The required `setFactory` or `setTransformerFactory` methods have been available since XMLUnit for Java 2.0.0.\n\n### References\n[Bug Report](https://github.com/xmlunit/xmlunit/issues/264)\n[JAXP Security Guide](https://docs.oracle.com/en/java/javase/22/security/java-api-xml-processing-jaxp-security-guide.html#GUID-E345AA09-801E-4B95-B83D-7F0C452538AA)\n",
  "id": "GHSA-chfm-68vv-pvw5",
  "modified": "2024-05-01T16:40:01Z",
  "published": "2024-05-01T16:40:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xmlunit/xmlunit/security/advisories/GHSA-chfm-68vv-pvw5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmlunit/xmlunit/issues/264"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b"
    },
    {
      "type": "WEB",
      "url": "https://docs.oracle.com/en/java/javase/22/security/java-api-xml-processing-jaxp-security-guide.html#GUID-E345AA09-801E-4B95-B83D-7F0C452538AA"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xmlunit/xmlunit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets"
}

GSD-2024-31573

Vulnerability from gsd - Updated: 2024-04-11 05:03

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-31573

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-31573"
      ],
      "id": "GSD-2024-31573",
      "modified": "2024-04-11T05:03:20.658120Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-31573",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

MSRC_CVE-2024-31573

Vulnerability from csaf_microsoft - Published: 2025-10-02 00:00 - Updated: 2025-10-19 01:01

Summary

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2024-31573

CWE-669 - Incorrect Resource Transfer Between Spheres

Affected products

Known not affected 2 products

Product	Identifier	Version	Remediation
Unresolved product id: 17086-1		—
Unresolved product id: 17084-2		—

References

4 references

URL	Category
https://msrc.microsoft.com/csaf/vex/2025/msrc_cve…	self
https://support.microsoft.com/lifecycle	external
https://www.first.org/cvss	external
https://msrc.microsoft.com/csaf/vex/2025/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2024-31573 XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled. - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2024-31573.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.",
    "tracking": {
      "current_release_date": "2025-10-19T01:01:21.000Z",
      "generator": {
        "date": "2025-10-22T22:49:11.235Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2024-31573",
      "initial_release_date": "2025-10-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-10-19T01:01:21.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              },
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "category": "product_name",
            "name": "cbl2 javapackages-bootstrap 1.5.0-7",
            "product": {
              "name": "cbl2 javapackages-bootstrap 1.5.0-7",
              "product_id": "1"
            }
          },
          {
            "category": "product_name",
            "name": "azl3 javapackages-bootstrap 1.14.0-3",
            "product": {
              "name": "azl3 javapackages-bootstrap 1.14.0-3",
              "product_id": "2"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 javapackages-bootstrap 1.5.0-7 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 javapackages-bootstrap 1.14.0-3 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-31573",
      "cwe": {
        "id": "CWE-669",
        "name": "Incorrect Resource Transfer Between Spheres"
      },
      "flags": [
        {
          "label": "component_not_present",
          "product_ids": [
            "17086-1",
            "17084-2"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "mitre",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_not_affected": [
          "17086-1",
          "17084-2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-31573 XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled. - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2024-31573.json"
        }
      ],
      "title": "XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled."
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-31573 (GCVE-0-2024-31573)

cleanstart-2026-ia43044

Vulnerability from cleanstart

FKIE_CVE-2024-31573

GHSA-CHFM-68VV-PVW5

Impact

Patches

Workarounds

References

GSD-2024-31573

MSRC_CVE-2024-31573

Tags

Sightings

Nomenclature