CVE-2017-9096

Sažetak

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Reference

http://www.securityfocus.com/archive/1/541483/100/0/threaded
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
https://www.oracle.com/security-alerts/cpuoct2020.html

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

20-10-2020 - 22:15

Objavljeno

08-11-2017 - 16:29