chore(deps): update assertj.version [security]#221
Open
ZxBot wants to merge 2 commits into
Open
Conversation
89fb7a9 to
1534dac
Compare
245ee93 to
88c9903
Compare
e11313c to
068e0bf
Compare
068e0bf to
711d3af
Compare
711d3af to
545cb73
Compare
545cb73 to
2efa881
Compare
7155948 to
e210fb5
Compare
b721943 to
f8f958b
Compare
a72128e to
80755e9
Compare
6dc3d79 to
c5eaffa
Compare
5110fb0 to
0ace9a3
Compare
5c45b19 to
eba09dd
Compare
eba09dd to
5f793e9
Compare
5f793e9 to
d74b38d
Compare
d74b38d to
c240d0d
Compare
cd8e618 to
0d60732
Compare
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

0 New Issues
0 Fixed Issues
0 Accepted Issues
No data about coverage
This PR contains the following updates:
3.27.6→3.27.7AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
CVE-2026-24400 / GHSA-rqfh-9r24-8c9r
More information
Details
An XML External Entity (XXE) vulnerability exists in
org.assertj.core.util.xml.XmlStringPrettyFormatter: thetoXmlDocument(String)method initializesDocumentBuilderFactorywith default settings, without disabling DTDs or external entities. This formatter is used by theisXmlEqualTo(CharSequence)assertion forCharSequencevalues.An application is vulnerable only when it uses untrusted XML input with one of the following methods:
isXmlEqualTo(CharSequence)fromorg.assertj.core.api.AbstractCharSequenceAssertxmlPrettyFormat(String)fromorg.assertj.core.util.xml.XmlStringPrettyFormatterImpact
If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:
file://URIs (e.g.,/etc/passwd, application configuration files)Mitigation
isXmlEqualTo(CharSequence)has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:isXmlEqualTo(CharSequence)with XMLUnit, orisXmlEqualTo(CharSequence)orXmlStringPrettyFormatterwith untrusted input.XmlStringPrettyFormatterhas historically been considered a utility forisXmlEqualTo(CharSequence)rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.References
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone Europe/Rome)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.