www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Lehmkuehler <le...@apache.org>
Subject [SECURITY] CVE-2019-0228 Apache PDFBox XML External Entity vulnerability
Date Fri, 12 Apr 2019 04:43:44 GMT
CVE-2019-0228: Apache PDFBox XML External Entity vulnerability

Severity: Important


Vendor:
The Apache Software Foundation

Versions Affected:
Apache PDFBox 2.0.14


Description:
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows 
context-dependent attackers to conduct XML External Entity (XXE) attacks via a 
crafted XFDF.

Mitigation:
Upgrade to Apache PDFBox 2.0.15

Credit:
This issue was discovered by Kurt Boberg from DocuSign

[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Mime
View raw message