XMLUnit2 has an RCE vulnerability caused by XSLT

[c1gar]

pom.xml

<dependency>
			<groupId>org.xmlunit</groupId>
			<artifactId>xmlunit-core</artifactId>
			<version>2.9.1</version>
</dependency>

poc

import org.xmlunit.transform.Transformation;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;

public class xmlunit_test {
    public static void main(String[] args) {
        Transformation transformation = new Transformation();
        Source xml = new StreamSource("1.xml");;
        transformation.setSource(xml);
        Source xsl = new StreamSource("1.xsl");;
        transformation.setStylesheet(xsl);
        Result result = new StreamResult("output.xml");;
        transformation.transformTo(result);
    }
}

There is no function for setting security parameters in org.xmlunit.transform.Transformation, and the default security parameters do not include defense against XSLT vulnerabilities.
And I would like to emphasize that XSLT vulnerabilities and XXE vulnerabilities are completely different types of vulnerabilities. XSLT vulnerabilities belong to CWE-94 type, while XXE vulnerabilities belong to CWE-611. For more details, please refer to [CVE-2017-7465](https://nvd.nist.gov/vuln/detail/CVE-2017-7465).

[bodewig]

with b81d48b I've disabled extension functions by default.

Even with 2.9.1 and earlier it is possible to disable extension functions by passing in a properly configured TransformerFactory to the Transaformation class.

I still need a way to do the same to XPathFactory and will look into it.

[c1gar]

@bodewig I have applied for a CVE number for this. Would you mind disclosing it? The CVE number is CVE-2024-31573.

[bodewig]

I honestly don't believe this is worth a CVE as people who need to disable extension functions have always been able to do so. If you insist on the CVE it can certainly be "disclosed" - it's bee public knowledge for weeks anyway.

What is your preferred way of disclosing it? I have zero experience with publishing CVEs around github.

[c1gar]

@bodewig I would like to proceed with disclosing this CVE. My preferred platform for disclosure is GitHub. If that is not feasible, we can disclose it in the way you are most familiar with. Thank you.

[bodewig]

@c1gar I will draft a security advisory later today, not sure I can share its content with you in a reasonable way - maybe you could drop me an email (my primary mail address is stefan.bodewig@freenet.de )

[bodewig]

GHSA-chfm-68vv-pvw5