{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24400", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-22T18:19:49.172Z", "datePublished": "2026-01-26T22:19:02.161Z", "dateUpdated": "2026-01-27T21:36:26.716Z"}, "containers": {"cna": {"title": "AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"}, {"name": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a", "tags": ["x_refsource_MISC"], "url": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"}, {"name": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "tags": ["x_refsource_MISC"], "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"}, {"name": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"}], "affected": [{"vendor": "assertj", "product": "assertj", "versions": [{"version": ">= 1.4.0, < 3.27.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:19:02.161Z"}, "descriptions": [{"lang": "en", "value": "AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via \"Billion Laughs\" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement."}], "source": {"advisory": "GHSA-rqfh-9r24-8c9r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:36:16.298177Z", "id": "CVE-2026-24400", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:36:26.716Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24400", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:36:16.298177Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:36:22.452Z"}}], "cna": {"title": "AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion", "source": {"advisory": "GHSA-rqfh-9r24-8c9r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "assertj", "product": "assertj", "versions": [{"status": "affected", "version": ">= 1.4.0, < 3.27.7"}]}], "references": [{"url": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r", "name": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a", "name": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a", "tags": ["x_refsource_MISC"]}, {"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "name": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7", "name": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via \"Billion Laughs\" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-26T22:19:02.161Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24400", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:36:26.716Z", "dateReserved": "2026-01-22T18:19:49.172Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-26T22:19:02.161Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:assertj:assertj:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFAFB3AE-8EC2-4EB4-8F33-5FAC24932474", "versionEndExcluding": "3.27.7", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via \"Billion Laughs\" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement."}, {"lang": "es", "value": "AssertJ proporciona aserciones de prueba fluidas para Java y la M\u00e1quina Virtual de Java (JVM). A partir de la versi\u00f3n 1.4.0 y antes de la versi\u00f3n 3.27.7, existe una vulnerabilidad de Entidad Externa XML (XXE) en `org.assertj.core.util.xml.XmlStringPrettyFormatter`: el m\u00e9todo `toXmlDocument(String)` inicializa `DocumentBuilderFactory` con configuraciones predeterminadas, sin deshabilitar DTDs o entidades externas. Este formateador es utilizado por la aserci\u00f3n `isXmlEqualTo(CharSequence)` para valores `CharSequence`. Una aplicaci\u00f3n es vulnerable solo cuando utiliza entrada XML no confiable con `isXmlEqualTo(CharSequence)` de `org.assertj.core.api.AbstractCharSequenceAssert` o `xmlPrettyFormat(String)` de `org.assertj.core.util.xml.XmlStringPrettyFormatter`. Si la entrada XML no confiable es procesada por uno de estos m\u00e9todos, un atacante podr\u00eda leer archivos locales arbitrarios a trav\u00e9s de URIs `file://` (por ejemplo, `/etc /passwd`, archivos de configuraci\u00f3n de la aplicaci\u00f3n); realizar Falsificaci\u00f3n de Petici\u00f3n del Lado del Servidor (SSRF) a trav\u00e9s de URIs HTTP/HTTPS, y/o causar Denegaci\u00f3n de Servicio a trav\u00e9s de ataques de expansi\u00f3n de entidad \"Billion Laughs\". `isXmlEqualTo(CharSequence)` ha sido desaprobado a favor de XMLUnit en la versi\u00f3n 3.18.0 y ser\u00e1 eliminado en la versi\u00f3n 4.0. Los usuarios de las versiones afectadas deber\u00edan, en orden de preferencia: reemplazar `isXmlEqualTo(CharSequence)` con XMLUnit, actualizar a la versi\u00f3n 3.27.7, o evitar usar `isXmlEqualTo(CharSequence)` o `XmlStringPrettyFormatter` con entrada no confiable. `XmlStringPrettyFormatter` hist\u00f3ricamente ha sido considerado una utilidad para `isXmlEqualTo(CharSequence)` en lugar de una caracter\u00edstica para los usuarios de AssertJ, por lo que es desaprobado en la versi\u00f3n 3.27.7 y eliminado en la versi\u00f3n 4.0, sin reemplazo."}], "id": "CVE-2026-24400", "lastModified": "2026-03-09T14:15:14.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-26T23:16:08.803", "references": [{"source": "security-advisories@github.com", "tags": ["Technical Description"], "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "assertj: AssertJ: Information disclosure and denial of service via XML External Entity (XXE)", "id": "2433116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433116"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "status": "draft"}, "cwe": "CWE-611", "details": ["A flaw was found in AssertJ. An XML External Entity (XXE) vulnerability exists in the `XmlStringPrettyFormatter` component, which is used by the `isXmlEqualTo(CharSequence)` assertion. If an application processes untrusted XML input using these methods, a remote attacker could exploit this flaw to read arbitrary local files, perform Server-Side Request Forgery (SSRF) by making the server request arbitrary URLs, or cause a Denial of Service (DoS) through entity expansion attacks."], "name": "CVE-2026-24400", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/kn-ekb-dispatcher-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/kn-ekb-receiver-rhel9", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:apache_camel_hawtio:4", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:apicurio_registry:3", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat build of Apicurio Registry 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:debezium:3", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat build of Debezium 3"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "moditect", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "javapackages-tools:201801/assertj-core", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "javapackages-tools:201801/maven-surefire", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "javapackages-tools:201801/powermock", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "maven-enforcer", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-service-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-trustyai-service-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/dashboard-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/devspaces-operator-bundle", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/udi-base-rhel10", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/udi-base-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Fix deferred", "package_name": "devspaces/udi-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:2", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "streams for Apache Kafka 2"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "assertj-core", "product_name": "streams for Apache Kafka 3"}, {"cpe": "cpe:/a:redhat:amq_streams:3", "fix_state": "Fix deferred", "package_name": "rocksdbjni", "product_name": "streams for Apache Kafka 3"}], "public_date": "2026-01-26T22:19:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24400\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24400\nhttps://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html\nhttps://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a\nhttps://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7\nhttps://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"], "statement": "Exploitation of this vulnerability requires that a user processes untrusted content with the affected package.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T02:35:06.670669+00:00", "value": {"mitigation_remediation": ["Upgrade AssertJ to version 3.27.7 or later, which deprecates and removes the vulnerable formatter", "Replace calls to isXmlEqualTo(CharSequence) with XMLUnit or remove those assertions entirely", "Ensure that any input passed to isXmlEqualTo or XmlStringPrettyFormatter is strictly trusted, or sanitise it to disallow external entities before parsing"], "summary": {"action": "Immediate Patch", "impact": "Read arbitrary local files and execute SSRF via XXE in AssertJ XML parsing"}, "threat_synthesis": {"affected_systems": "The vulnerable code exists in AssertJ versions from 1.4.0 up to 3.27.6, inclusive. It affects the AssertJ library (assertj:assertj) when its isXmlEqualTo(CharSequence) assertion or the XmlStringPrettyFormatter are used with XML data that can be controlled by an attacker.", "description_and_impact": "AssertJ contains an XXE vulnerability in the XmlStringPrettyFormatter used by the isXmlEqualTo assertion for CharSequence values. The formatter initializes a DocumentBuilderFactory with default settings, allowing the parser to process external entities. An attacker can cause the library to read arbitrary local files through file:// URIs, perform Server\u2011Side Request Forgery to external HTTP or HTTPS resources, and trigger denial of service by exploiting entity expansion attacks. The flaw corresponds to CWE\u2011611 (XML External Entity (XXE) Processing).", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high severity impact if successfully exploited. However, the EPSS score of <1% shows a very low likelihood that attackers have found or will use exploits in the wild, and the vulnerability is not listed in the CISA KEV catalogue. The typical attack scenario requires the application to pass untrusted XML input into the isXmlEqualTo or XmlStringPrettyFormatter methods, which may occur in test suites or build pipelines that ingest external XML. While the vector is not publicly exploitable in a generic remote context, any environment where untrusted XML is processed by AssertJ remains at risk."}}}}, "created": "2026-01-27T09:03:19.112352+00:00", "updated": "2026-04-18T02:45:27.277686+00:00", "vendors": ["assertj", "assertj$PRODUCT$assertj"]}