Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY]#1050
Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY]#1050renovate[bot] wants to merge 1 commit into
Conversation
|
Renovate Jira issue ID: SLE-1496 |
Summary
This PR updates AssertJ from 3.4.1 to 3.27.7 to address CVE-2026-24400, an XXE vulnerability in XML assertion methods. The change is minimal and scoped to a single test dependency in the integration test project, so it carries low risk—test code can be freely updated without affecting production. The large version jump (23 versions) is safe since this is a test-only dependency, though reviewers should verify the codebase doesn't rely on deprecated AssertJ APIs. What reviewers should knowWhere to look: Only What to verify: Check if the codebase uses any of the affected methods:
If these methods are used with untrusted XML input (e.g., test fixtures from external sources), the fix is necessary. If used with trusted XML only, the code is already safe. Version context: This jumps from 3.4.1 (released ~2013) to 3.27.7 (2024)—a significant leap, but acceptable for test code. Scan the changelog briefly if you're concerned about breaking changes to assertion semantics, though AssertJ's assertion logic is typically stable.
|
![sonar-review-alpha[bot]](https://avatars.githubusercontent.com/in/3025063?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
renovate
Bot
force-pushed
the
renovate/maven-org.assertj-assertj-core-vulnerability
branch
from
84ab86d to
e5d351c
Compare
|
This PR contains the following updates:
3.4.1→3.27.7Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
CVE-2026-24400 / GHSA-rqfh-9r24-8c9r
More information
Details
An XML External Entity (XXE) vulnerability exists in
org.assertj.core.util.xml.XmlStringPrettyFormatter: thetoXmlDocument(String)method initializesDocumentBuilderFactorywith default settings, without disabling DTDs or external entities. This formatter is used by theisXmlEqualTo(CharSequence)assertion forCharSequencevalues.An application is vulnerable only when it uses untrusted XML input with one of the following methods:
isXmlEqualTo(CharSequence)fromorg.assertj.core.api.AbstractCharSequenceAssertxmlPrettyFormat(String)fromorg.assertj.core.util.xml.XmlStringPrettyFormatterImpact
If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:
file://URIs (e.g.,/etc/passwd, application configuration files)Mitigation
isXmlEqualTo(CharSequence)has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:isXmlEqualTo(CharSequence)with XMLUnit, orisXmlEqualTo(CharSequence)orXmlStringPrettyFormatterwith untrusted input.XmlStringPrettyFormatterhas historically been considered a utility forisXmlEqualTo(CharSequence)rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.References
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
CVE-2026-24400 / GHSA-rqfh-9r24-8c9r
More information
Details
An XML External Entity (XXE) vulnerability exists in
org.assertj.core.util.xml.XmlStringPrettyFormatter: thetoXmlDocument(String)method initializesDocumentBuilderFactorywith default settings, without disabling DTDs or external entities. This formatter is used by theisXmlEqualTo(CharSequence)assertion forCharSequencevalues.An application is vulnerable only when it uses untrusted XML input with one of the following methods:
isXmlEqualTo(CharSequence)fromorg.assertj.core.api.AbstractCharSequenceAssertxmlPrettyFormat(String)fromorg.assertj.core.util.xml.XmlStringPrettyFormatterImpact
If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:
file://URIs (e.g.,/etc/passwd, application configuration files)Mitigation
isXmlEqualTo(CharSequence)has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:isXmlEqualTo(CharSequence)with XMLUnit, orisXmlEqualTo(CharSequence)orXmlStringPrettyFormatterwith untrusted input.XmlStringPrettyFormatterhas historically been considered a utility forisXmlEqualTo(CharSequence)rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.References
Severity
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Configuration
📅 Schedule: (in timezone CET)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.