Netflix/dgs-framework

bug: XML Injection (AKA Blind Xpath Injection) in ORG.XMLUNIT:XMLUNIT-CORE [CVE-2024-31573]

nmartin-RatedPower opened this issue · 2 comments

Hello! ✋

First, thank you very much for your time. I have opened as a bug a security vulnerability that affects multiple versions of your library, being 8.4.4 the one I currently use and still contains it https://devhub.checkmarx.com/cve-details/CVE-2024-31573/.

I would like to know first, if there is a specific place to report this kind of vulnerabilities.

On the other hand, I would like to know what this library uses this dependency for, only for testing purposes? If not, there will be any 8.4.X version of the library that will fix that one?

Thank you very much and I remain open to start a conversation.

Note: A test case would be highly appreciated, but we understand that's not always possible

It's a transitive dependency from spring-boot-starter-test, and I don't believe it's actually used anywhere in our test suite since we aren't parsing any XML. I don't think a user of DGS would get the dependency at all unless they are also pulling in spring-boot-starter-test; you can exclude that transitive dependency, or use Spring's dependency management to override the version used there.

See: spring-projects/spring-boot#41029, looks like it wouldn't be updated there until Spring Boot 3.4.

Closing as it is not actionable, this is a coming from Spring Boot like @kilink explained.