Lucene search

Ubuntu.comUB:CVE-2023-49093

HistoryDec 04, 2023 - 12:00 a.m.

CVE-2023-49093

2023-12-0400:00:00

ubuntu.com

htmlunit

remote code execution

xstl

browsing

attacker

webpage

java

vulnerability

patched

version 3.9.0

launchpad

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.0%

JSON

HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerable to
Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
This vulnerability has been patched in version 3.9.0

Notes

Author	Note
	Priority reason: This is a vulnerability that can be triggered remotely and leads to code execution. A PoC has been made available.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchhtmlunit< anyUNKNOWN
ubuntu16.04noarchhtmlunit< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	htmlunit	< any	UNKNOWN
ubuntu	16.04	noarch	htmlunit	< any	UNKNOWN

References

github.com/HtmlUnit/htmlunit/security/advisories/GHSA-37vq-hr2f-g7h7

launchpad.net/bugs/cve/CVE-2023-49093

nvd.nist.gov/vuln/detail/CVE-2023-49093

security-tracker.debian.org/tracker/CVE-2023-49093

www.cve.org/CVERecord?id=CVE-2023-49093

www.htmlunit.org/changes-report.html#a3.9.0

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.9 High

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

71.0%

JSON

Related for UB:CVE-2023-49093