CVE-2023-26119
Remote Code Execution (RCE) vulnerability in htmlunit (Maven)
What is CVE-2023-26119 About?
This vulnerability affects `htmlunit` versions prior to 3.0.0 and allows Remote Code Execution via XSLT when browsing an attacker's webpage. The impact is severe, as it enables arbitrary code execution on the user's system. Exploitation is relatively easy, requiring only that a user visits a malicious website.
Affected Software
Technical Details
The vulnerability in net.sourceforge.htmlunit:htmlunit arises from improper handling of XSLT transformations. When a user browses an attacker-controlled webpage, the htmlunit library, if vulnerable, will process malicious XSLT stylesheets embedded within the page. These stylesheets can contain extensions or functions that allow execution of arbitrary commands or scripts in the context of the application using htmlunit. The uncontrolled processing of these XSLT instructions effectively bypasses sandboxing mechanisms, leading to remote code execution on the system running the htmlunit instance.
What is the Impact of CVE-2023-26119?
Successful exploitation may allow attackers to achieve arbitrary code execution on the user's system, leading to full system compromise, data theft, or installing malware.
What is the Exploitability of CVE-2023-26119?
Exploitation of this vulnerability is of low complexity. It requires no authentication or special privileges on the target system. The attack is initiated remotely simply by a user visiting a malicious webpage designed by the attacker. The primary prerequisite is that the application uses a vulnerable version of htmlunit to render web content. The risk factors that increase exploitation likelihood include applications that browse or parse untrusted web content, making users susceptible to drive-by downloads or client-side attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26119?
Available Upgrade Options
- net.sourceforge.htmlunit:htmlunit
- <3.0.0 → Upgrade to 3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/HtmlUnit/htmlunit
- https://osv.dev/vulnerability/GHSA-3xrr-7m6p-p7xh
- https://siebene.github.io/2022/12/30/HtmlUnit-RCE/
- https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
- https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500
- https://siebene.github.io/2022/12/30/HtmlUnit-RCE
- https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
- https://nvd.nist.gov/vuln/detail/CVE-2023-26119
- https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500
What are Similar Vulnerabilities to CVE-2023-26119?
Similar Vulnerabilities: CVE-2014-0498 , CVE-2013-4122 , CVE-2013-1950 , CVE-2010-0840 , CVE-2007-0097
