Описание
Improper Restriction of XML External Entity Reference in iText
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-9096
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://www.securityfocus.com/archive/1/541483/100/0/threaded
Пакеты
com.itextpdf:itextpdf
< 5.5.12
5.5.12
com.itextpdf:itextpdf
>= 7.0.0, < 7.0.3
7.0.3
com.lowagie:itext
<= 4.2.2
Отсутствует
Связанные уязвимости
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Уязвимость компонента XML parsers средства разработки программного обеспечения iText, позволяющая нарушителю проводить XXE-атаки