CVE-2026-24400 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2026-24400 Interim 1 1 2026-03-05T00:16:28Z current 2026-03-05T00:16:28Z 2026-03-05T00:16:28Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2026-24400 AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2026-January/023994.html E-Mail link for SUSE-SU-2026:0344-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings Container suse/sl-micro/6.0/toolbox:13.2-9.1 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 openSUSE Leap 15.6 openSUSE Tumbleweed assertj-core assertj-core-3.27.7-1.1 assertj-core-3.27.7-150200.5.9.2 assertj-core-3.27.7-160000.1.1 assertj-core-javadoc assertj-core-javadoc-3.27.7-1.1 assertj-core-javadoc-3.27.7-160000.1.1 containerd-1.7.29-slfo.1.1_1.1 libpython3_11-1_0-3.11.12-1.1 python311-3.11.12-1.1 python311-base-3.11.12-1.1 libpython3_11-1_0-3.11.12-1.1 as a component of Container suse/sl-micro/6.0/toolbox:13.2-9.1 python311-base-3.11.12-1.1 as a component of Container suse/sl-micro/6.0/toolbox:13.2-9.1 containerd-1.7.29-slfo.1.1_1.1 as a component of Image SL-Micro-Azure containerd-1.7.29-slfo.1.1_1.1 as a component of Image SL-Micro-BYOS-Azure containerd-1.7.29-slfo.1.1_1.1 as a component of Image SL-Micro-BYOS-EC2 containerd-1.7.29-slfo.1.1_1.1 as a component of Image SL-Micro-BYOS-GCE containerd-1.7.29-slfo.1.1_1.1 as a component of Image SL-Micro-EC2 containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro python311-3.11.12-1.1 as a component of Image SLE-Micro python311-base-3.11.12-1.1 as a component of Image SLE-Micro containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro-Azure libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro-Azure python311-3.11.12-1.1 as a component of Image SLE-Micro-Azure python311-base-3.11.12-1.1 as a component of Image SLE-Micro-Azure containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro-BYOS python311-3.11.12-1.1 as a component of Image SLE-Micro-BYOS python311-base-3.11.12-1.1 as a component of Image SLE-Micro-BYOS containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-Azure libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-Azure python311-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-Azure python311-base-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-Azure containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-EC2 libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-EC2 python311-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-EC2 python311-base-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-EC2 containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro-BYOS-GCE libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-GCE python311-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-GCE python311-base-3.11.12-1.1 as a component of Image SLE-Micro-BYOS-GCE containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro-EC2 libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro-EC2 python311-3.11.12-1.1 as a component of Image SLE-Micro-EC2 python311-base-3.11.12-1.1 as a component of Image SLE-Micro-EC2 containerd-1.7.29-slfo.1.1_1.1 as a component of Image SLE-Micro-GCE libpython3_11-1_0-3.11.12-1.1 as a component of Image SLE-Micro-GCE python311-3.11.12-1.1 as a component of Image SLE-Micro-GCE python311-base-3.11.12-1.1 as a component of Image SLE-Micro-GCE containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Server-Azure-llc containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Server-Azure-ltd containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Server-EC2-llc containerd-1.7.29-slfo.1.1_1.1 as a component of Image SUSE-Multi-Linux-Manager-Server-EC2-ltd assertj-core-3.27.7-150200.5.9.2 as a component of openSUSE Leap 15.6 assertj-core-3.27.7-1.1 as a component of openSUSE Tumbleweed assertj-core-javadoc-3.27.7-1.1 as a component of openSUSE Tumbleweed assertj-core-3.27.7-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 assertj-core-javadoc-3.27.7-160000.1.1 as a component of SUSE Linux Enterprise Server 16.0 assertj-core as a component of SUSE Linux Enterprise Server 16.0 assertj-core-javadoc as a component of SUSE Linux Enterprise Server 16.0 assertj-core as a component of SUSE Linux Enterprise Server for SAP applications 16.0 assertj-core-javadoc as a component of SUSE Linux Enterprise Server for SAP applications 16.0 AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. CVE-2026-24400 Container suse/sl-micro/6.0/toolbox:13.2-9.1:libpython3_11-1_0-3.11.12-1.1 Container suse/sl-micro/6.0/toolbox:13.2-9.1:python311-base-3.11.12-1.1 Image SL-Micro-Azure:containerd-1.7.29-slfo.1.1_1.1 Image SL-Micro-BYOS-Azure:containerd-1.7.29-slfo.1.1_1.1 Image SL-Micro-BYOS-EC2:containerd-1.7.29-slfo.1.1_1.1 Image SL-Micro-BYOS-GCE:containerd-1.7.29-slfo.1.1_1.1 Image SL-Micro-EC2:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro:python311-3.11.12-1.1 Image SLE-Micro:python311-base-3.11.12-1.1 Image SLE-Micro-Azure:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro-Azure:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro-Azure:python311-3.11.12-1.1 Image SLE-Micro-Azure:python311-base-3.11.12-1.1 Image SLE-Micro-BYOS:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro-BYOS:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro-BYOS:python311-3.11.12-1.1 Image SLE-Micro-BYOS:python311-base-3.11.12-1.1 Image SLE-Micro-BYOS-Azure:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro-BYOS-Azure:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro-BYOS-Azure:python311-3.11.12-1.1 Image SLE-Micro-BYOS-Azure:python311-base-3.11.12-1.1 Image SLE-Micro-BYOS-EC2:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro-BYOS-EC2:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro-BYOS-EC2:python311-3.11.12-1.1 Image SLE-Micro-BYOS-EC2:python311-base-3.11.12-1.1 Image SLE-Micro-BYOS-GCE:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro-BYOS-GCE:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro-BYOS-GCE:python311-3.11.12-1.1 Image SLE-Micro-BYOS-GCE:python311-base-3.11.12-1.1 Image SLE-Micro-EC2:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro-EC2:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro-EC2:python311-3.11.12-1.1 Image SLE-Micro-EC2:python311-base-3.11.12-1.1 Image SLE-Micro-GCE:containerd-1.7.29-slfo.1.1_1.1 Image SLE-Micro-GCE:libpython3_11-1_0-3.11.12-1.1 Image SLE-Micro-GCE:python311-3.11.12-1.1 Image SLE-Micro-GCE:python311-base-3.11.12-1.1 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Server-Azure-llc:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Server-Azure-ltd:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Server-EC2-llc:containerd-1.7.29-slfo.1.1_1.1 Image SUSE-Multi-Linux-Manager-Server-EC2-ltd:containerd-1.7.29-slfo.1.1_1.1 openSUSE Leap 15.6:assertj-core-3.27.7-150200.5.9.2 openSUSE Tumbleweed:assertj-core-3.27.7-1.1 openSUSE Tumbleweed:assertj-core-javadoc-3.27.7-1.1 SUSE Linux Enterprise Server 16.0:assertj-core-3.27.7-160000.1.1 SUSE Linux Enterprise Server 16.0:assertj-core-javadoc-3.27.7-160000.1.1 moderate 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L