Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.assertj/assertj-core@3.27.7 |
|---|
| Type | maven |
|---|
| Namespace | org.assertj |
|---|
| Name | assertj-core |
|---|
| Version | 3.27.7 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | 3.27.7 |
|---|
| Latest_non_vulnerable_version | 3.27.7 |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-449j-g7eq-bkcy |
| vulnerability_id |
VCID-449j-g7eq-bkcy |
| summary |
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values.
An application is vulnerable only when it uses untrusted XML input with one of the following methods:
- `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert`
- `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter` |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-24400, GHSA-rqfh-9r24-8c9r
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-449j-g7eq-bkcy |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.assertj/assertj-core@3.27.7 |
|---|