| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Nov 2017 14:53:52 +0000 From: Advisories <advisories@...pass-security.com> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "bugs@...uritytracker.com" <bugs@...uritytracker.com> Subject: CVE-2017-9096 iText XML External Entity Vulnerability ################################################################## # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/en/research/advisories/ # ################################################################## # # Product: iText PDF Library # Vendor: iText Group # CVE ID: CVE-2017-9096 # CSNC ID: CSNC-2017-017 # Subject: XML External Entity Attack (XXE) # Risk: Medium # Effect: Remotely exploitable # Author: Benjamin Bruppacher <benjamin.bruppacher@...pass-security.com> # Date: 2017-11-06 # ################################################################## Introduction: ------------- iText is a software developer toolkit that allows users to integrate PDF functionalities within their applications, processes or products. The used XML parsers inside the library are not configured to disable external entities. This can be used for XML External Entity Attacks[1]. Affected versions: --------- Vulnerable: * 2.0.8 * 5.5.11 * 7.0.2 Not vulnerable: * 5.5.12 * 7.0.3 Technical Description --------------------- The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data. By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server. Timeline: --------- 2017-05-10: Discovery by Benjamin Bruppacher 2017-05-15: Initial vendor notification 2017-08-01: Vendor releases patch 2017-11-06: Disclosure of the advisory References: ----------- [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Powered by blists - more mailing lists