iText PDF Library 7.0.2 / 5.5.11 / 2.0.8 XXE Injection

2017.11.08
Risk: High
Local: No
Remote: Yes
CWE: N/A

################################################################## # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/en/research/advisories/ # ################################################################## # # Product: iText PDF Library # Vendor: iText Group # CVE ID: CVE-2017-9096 # CSNC ID: CSNC-2017-017 # Subject: XML External Entity Attack (XXE) # Risk: Medium # Effect: Remotely exploitable # Author: Benjamin Bruppacher <benjamin.bruppacher@compass-security.com> # Date: 2017-11-06 # ################################################################## Introduction: ------------- iText is a software developer toolkit that allows users to integrate PDF functionalities within their applications, processes or products. The used XML parsers inside the library are not configured to disable external entities. This can be used for XML External Entity Attacks[1]. Affected versions: --------- Vulnerable: * 2.0.8 * 5.5.11 * 7.0.2 Not vulnerable: * 5.5.12 * 7.0.3 Technical Description --------------------- The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data. By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server. Timeline: --------- 2017-05-10: Discovery by Benjamin Bruppacher 2017-05-15: Initial vendor notification 2017-08-01: Vendor releases patch 2017-11-06: Disclosure of the advisory References: ----------- [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top