[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE-2017-9096 iText XML External Entity Vulnerability
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "bugs@xxxxxxxxxxxxxxxxxxx" <bugs@xxxxxxxxxxxxxxxxxxx>
- Subject: CVE-2017-9096 iText XML External Entity Vulnerability
- From: Advisories <advisories@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 6 Nov 2017 14:53:52 +0000
##################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#
##################################################################
#
# Product: iText PDF Library
# Vendor: iText Group
# CVE ID: CVE-2017-9096
# CSNC ID: CSNC-2017-017
# Subject: XML External Entity Attack (XXE)
# Risk: Medium
# Effect: Remotely exploitable
# Author: Benjamin Bruppacher <benjamin.bruppacher@xxxxxxxxxxxxxxxxxxxx>
# Date: 2017-11-06
#
##################################################################
Introduction:
-------------
iText is a software developer toolkit that allows users to integrate PDF
functionalities within their applications, processes or products.
The used XML parsers inside the library are not configured to disable external
entities. This can be used for XML External Entity Attacks[1].
Affected versions:
---------
Vulnerable:
* 2.0.8
* 5.5.11
* 7.0.2
Not vulnerable:
* 5.5.12
* 7.0.3
Technical Description
---------------------
The attack can be carried out by submitting a malicious PDF to an iText
application that parses XML data.
By providing a malicious XXE payloads inside the XML data that resides in the
PDF, an attacker can for example extract files or forge requests on the server.
Timeline:
---------
2017-05-10: Discovery by Benjamin Bruppacher
2017-05-15: Initial vendor notification
2017-08-01: Vendor releases patch
2017-11-06: Disclosure of the advisory
References:
-----------
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing