CVE-2017-9096 – com.lowagie:itext

Package

Manager: maven
Name: com.lowagie:itext
Vulnerable Version: >=0 <=4.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.09691 pctl0.92621

Details

Improper Restriction of XML External Entity Reference in iText The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Metadata

Created: 2022-05-13T01:14:24Z
Modified: 2024-03-06T21:45:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-86p9-x5pw-94qx/GHSA-86p9-x5pw-94qx.json
CWE IDs: ["CWE-611"]
Alternative ID: GHSA-86p9-x5pw-94qx
Finding: F083
Auto approve: 1