Vulnerability

CVE-2017-9096

 Report advisory or correction

CVSS Score 8.8 high

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-611

References

https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9096

[CVE-2017-9096] CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Description

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See com.lowagie/itext package information