Main Vulnerability Database Vulnerabilities #VU31399

XML External Entity injection in iText - CVE-2017-9096

Published: November 8, 2017 / Updated: July 18, 2020

Vulnerability identifier: #VU31399

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-9096

CWE-ID: CWE-611

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: iText Group NV

Affected software:
iText

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

How to mitigate CVE-2017-9096

Install update from vendor's website.

Sources

http://www.securityfocus.com/archive/1/541483/100/0/threaded
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt

XML External Entity injection in iText - CVE-2017-9096

Detailed vulnerability description

How to mitigate CVE-2017-9096

Sources

Please verify you're human