Security update for assertj-core SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20298-1 Final 1 1 2026-03-02T16:00:38Z current 2026-03-02T16:00:38Z 2026-03-02T16:00:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for assertj-core This update for assertj-core fixes the following issues: Upgrade to version 3.27.7: - CVE-2026-24400: Fix XXE vulnerability in isXmlEqualTo assertion (bsc#1257293). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-336 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1257293 SUSE Bug 1257293 https://www.suse.com/security/cve/CVE-2026-24400/ SUSE CVE CVE-2026-24400 page openSUSE Leap 16.0 assertj-core-3.27.7-160000.1.1 assertj-core-javadoc-3.27.7-160000.1.1 assertj-core-3.27.7-160000.1.1 as a component of openSUSE Leap 16.0 assertj-core-javadoc-3.27.7-160000.1.1 as a component of openSUSE Leap 16.0 AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. CVE-2026-24400 openSUSE Leap 16.0:assertj-core-3.27.7-160000.1.1 openSUSE Leap 16.0:assertj-core-javadoc-3.27.7-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2026-24400.html CVE-2026-24400 https://bugzilla.suse.com/1257293 SUSE Bug 1257293