chore(deps): update assertj.version to v3.27.7 [security] by renovate[bot] · Pull Request #89 · RedFroggy/spring-cucumber-rest-api

renovate · 2021-09-30T22:39:04Z

This PR contains the following updates:

Package	Change	Age	Confidence
org.assertj:assertj-core (source)	`3.20.2` → `3.27.7`

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

CVE-2026-24400 / GHSA-rqfh-9r24-8c9r

More information

Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

Replace isXmlEqualTo(CharSequence) with XMLUnit, or
Upgrade to version 3.27.7, or
Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Severity

CVSS Score: 8.2 / 10 (High)
Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: (in timezone Europe/Paris)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/assertj.version branch from 46d8e03 to 3c18fb6 Compare March 7, 2022 12:55

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.21.0~~ chore(deps): update dependency org.assertj:assertj-core to v3.22.0 Mar 7, 2022

renovate Bot force-pushed the renovate/assertj.version branch from 3c18fb6 to 8069004 Compare June 18, 2022 21:54

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.22.0~~ chore(deps): update dependency org.assertj:assertj-core to v3.23.1 Jun 18, 2022

renovate Bot force-pushed the renovate/assertj.version branch from 8069004 to 2e89b1e Compare March 18, 2023 18:04

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.23.1~~ chore(deps): update dependency org.assertj:assertj-core to v3.24.2 Mar 18, 2023

renovate Bot force-pushed the renovate/assertj.version branch from 2e89b1e to cc3d0ea Compare December 31, 2023 16:32

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.24.2~~ chore(deps): update dependency org.assertj:assertj-core to v3.25.0 Dec 31, 2023

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.25.0~~ chore(deps): update dependency org.assertj:assertj-core to v3.25.1 Jan 3, 2024

renovate Bot force-pushed the renovate/assertj.version branch from cc3d0ea to 77f86fc Compare January 3, 2024 03:26

renovate Bot force-pushed the renovate/assertj.version branch from 77f86fc to fc59497 Compare January 24, 2024 15:09

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.25.1~~ chore(deps): update dependency org.assertj:assertj-core to v3.25.2 Jan 24, 2024

renovate Bot force-pushed the renovate/assertj.version branch from fc59497 to 511b430 Compare February 5, 2024 01:36

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.25.2~~ chore(deps): update dependency org.assertj:assertj-core to v3.25.3 Feb 5, 2024

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.25.3~~ chore(deps): update dependency org.assertj:assertj-core to v3.26.0 May 26, 2024

renovate Bot force-pushed the renovate/assertj.version branch from 511b430 to 62f9c74 Compare May 26, 2024 12:06

renovate Bot force-pushed the renovate/assertj.version branch from 62f9c74 to f05afdc Compare July 9, 2024 19:37

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.26.0~~ chore(deps): update dependency org.assertj:assertj-core to v3.26.3 Jul 9, 2024

renovate Bot force-pushed the renovate/assertj.version branch from f05afdc to da137ec Compare December 19, 2024 17:46

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.26.3~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.0 Dec 19, 2024

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.0~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.1 Jan 1, 2025

renovate Bot force-pushed the renovate/assertj.version branch from da137ec to 01efa95 Compare January 1, 2025 19:57

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.1~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.2 Jan 4, 2025

renovate Bot force-pushed the renovate/assertj.version branch from 01efa95 to dfbe614 Compare January 4, 2025 12:58

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.2~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.3 Jan 19, 2025

renovate Bot force-pushed the renovate/assertj.version branch from dfbe614 to 951f3ea Compare January 19, 2025 09:35

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.3~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.4 Aug 7, 2025

renovate Bot force-pushed the renovate/assertj.version branch from 951f3ea to 2f6abac Compare August 7, 2025 14:28

renovate Bot force-pushed the renovate/assertj.version branch from 2f6abac to a5361af Compare September 18, 2025 22:50

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.4~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.5 Sep 18, 2025

renovate Bot force-pushed the renovate/assertj.version branch from a5361af to 9c43649 Compare September 22, 2025 21:38

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.5~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.6 Sep 22, 2025

chore(deps): update dependency org.assertj:assertj-core to v3.27.7

cfd55d5

renovate Bot force-pushed the renovate/assertj.version branch from 9c43649 to cfd55d5 Compare January 24, 2026 21:44

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.6~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.7 Jan 24, 2026

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.7~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] Jan 27, 2026

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security]~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.7 Mar 27, 2026

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.7~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] Mar 30, 2026

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security]~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.7 Apr 27, 2026

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.7~~ chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security] Apr 27, 2026

renovate Bot changed the title ~~chore(deps): update dependency org.assertj:assertj-core to v3.27.7 [security]~~ chore(deps): update assertj.version to v3.27.7 [security] Jun 2, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update assertj.version to v3.27.7 [security]#89

chore(deps): update assertj.version to v3.27.7 [security]#89
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/assertj.version

renovate Bot commented Sep 30, 2021 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Sep 30, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

Details

Impact

Mitigation

References

Severity

References

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate Bot commented Sep 30, 2021 •

edited

Loading