Published: 08/11/2017 Updated: 20/10/2020

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

The XML parsers in iText prior to 5.5.12 and 7.x prior to 7.0.3 do not disable external entities, which might allow remote malicious users to conduct XML external entity (XXE) attacks via a crafted PDF.

Vulnerable Product	Search on Vulmon	Subscribe to Product
itextpdf itext 7.0.0
itextpdf itext 7.0.1
itextpdf itext 7.0.2
itextpdf itext

The XML parsers in iText before 5512 and 7x before 703 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF ...

CVE-2017-9096 1 Creating the malicious PDF containing XXE Get a PDF containing a form: wget wwwpdfscriptingcom/public/FreeStuff/PDFSamples/ModifySubmit_Examplepdf -O inputpdf Decompress PDF To do that you need to decompress the PDF with qpdf --qdf --object-streams=disable inputpdf outputpdf then you can edit the PDF with a

CWE-611 https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us http://www.securityfocus.com/archive/1/541483/100/0/threaded https://www.oracle.com/security-alerts/cpuoct2020.html https://nvd.nist.gov https://github.com/jakabakos/CVE-2017-9096 https://access.redhat.com/security/cve/cve-2017-9096

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2017-9096

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect