1512827 – (CVE-2017-9096) CVE-2017-9096 itext: External entities not disabled

Bug 1512827 (CVE-2017-9096) - CVE-2017-9096 itext: External entities not disabled

Summary: CVE-2017-9096 itext: External entities not disabled

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-9096
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1512828
Blocks:	1512829
TreeView+	depends on / blocked

Reported:	2017-11-14 08:45 UTC by Andrej Nemec
Modified:	2021-02-17 01:14 UTC (History)
CC List:	46 users (show)
Fixed In Version:	itext 5.5.12, itext 7.0.3
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-22 23:55:55 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-11-14 08:45:47 UTC

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

External References:

https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt

Comment 1 Andrej Nemec 2017-11-14 08:46:11 UTC

Created itext tracking bugs for this issue:

Affects: fedora-all [bug 1512828]

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
andjrobins
anstephe
bkundal
bmaxwell
cdewolf
chazlett
csutherl
darran.lofthouse
dimitris
dosoudil
etirelli
gvarsami
ibek
java-sig-commits
jawilson
jcoleman
jshepherd
kconner
kverlaen
ldimaggi
lef
lgao
lpetrovi
myarboro
nwallace
oget.fedora
paradhya
pavelp
pgier
psakar
pslavice
pszubiak
puntogil
rnetuka
rrajasek
rsvoboda
rsynek
rwagner
rzhang
sdaley
tcunning
tkirby
twalsh
vtunka