CVE-2017-9096 - OpenCVE

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Itextpdf	Itext

Configuration 1 [-]

OR	cpe:2.3:a:itextpdf:itext::::::::
	cpe:2.3:a:itextpdf:itext:7.0.0:::::::*
	cpe:2.3:a:itextpdf:itext:7.0.1:::::::*
	cpe:2.3:a:itextpdf:itext:7.0.2:::::::*

References

Link	Resource
http://www.securityfocus.com/archive/1/541483/100/0/threaded	Third Party Advisory VDB Entry
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us	Third Party Advisory
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-11-08T16:00:00

Updated: 2020-10-20T21:14:52

Reserved: 2017-05-19T00:00:00

Link: CVE-2017-9096

JSON object: View

NVD Information

Status : Modified

Published: 2017-11-08T16:29:00.263

Modified: 2020-10-20T22:15:22.200

Link: CVE-2017-9096

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-06T00:00:00", "descriptions": [{"lang": "en", "value": "The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-10-20T21:14:52", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "20171106 CVE-2017-9096 iText XML External Entity Vulnerability", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/541483/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"}, {"tags": ["x_refsource_MISC"], "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-9096", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "20171106 CVE-2017-9096 iText XML External Entity Vulnerability", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/541483/100/0/threaded"}, {"name": "https://www.oracle.com/security-alerts/cpuoct2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"}, {"name": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt", "refsource": "MISC", "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-9096", "datePublished": "2017-11-08T16:00:00", "dateReserved": "2017-05-19T00:00:00", "dateUpdated": "2020-10-20T21:14:52", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:itextpdf:itext:*:*:*:*:*:*:*:*", "matchCriteriaId": "26DB62A8-97FA-403C-9B6D-C34FEF05EDCE", "versionEndExcluding": "5.5.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:itextpdf:itext:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "BFB713D0-721F-4D4E-80D3-0A3F13520934", "vulnerable": true}, {"criteria": "cpe:2.3:a:itextpdf:itext:7.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "DD7B6C29-BFAF-41D8-9187-88F841429F59", "vulnerable": true}, {"criteria": "cpe:2.3:a:itextpdf:itext:7.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "3D0B8E76-72BB-4785-AE55-EE105A2B49B6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF."}, {"lang": "es", "value": "Los analizadores sint\u00e1cticos XML en iText, en versiones anteriores a la 5.5.12 y en versiones 7.x anteriores a la 7.0.3, no desactivan las entidades externas, lo que podr\u00eda permitir a atacantes remotos realizar ataques XEE (XML External Entity) mediante un PDF manipulado."}], "id": "CVE-2017-9096", "lastModified": "2020-10-20T22:15:22.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-08T16:29:00.263", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/archive/1/541483/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}