Описание
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | pdfbox | Affected | ||
| Red Hat JBoss BRMS 6 | pdfbox | Affected | ||
| Red Hat JBoss Fuse 6 | pdfbox | Affected | ||
| Red Hat JBoss Fuse Service Works 6 | pdfbox | Not affected | ||
| Red Hat JBoss Portal 6 | pdfbox | Will not fix | ||
| Red Hat Satellite 5 | pdfbox | Affected | ||
| Red Hat JBoss A-MQ 6.3 | Fixed | RHSA-2017:0179 | 19.01.2017 | |
| Red Hat JBoss BPMS 6.4 | Fixed | RHSA-2017:0249 | 02.02.2017 | |
| Red Hat JBoss BRMS 6.4 | Fixed | RHSA-2017:0248 | 02.02.2017 | |
| Red Hat JBoss Data Virtualization 6.3 | pdfbox | Fixed | RHSA-2017:0272 | 14.02.2017 |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
5.8 Medium
CVSS2
Связанные уязвимости
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly ini ...
High severity vulnerability that affects org.apache.pdfbox:pdfbox
5.4 Medium
CVSS3
5.8 Medium
CVSS2