ID CVE-2016-2175
Summary Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
References
Vulnerable Configurations
  • cpe:2.3:a:apache:pdfbox:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:1.8.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:1.8.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:2.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:2.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:2.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:pdfbox:2.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:pdfbox:2.0:rc3:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 09-10-2018 - 19:59)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2017:0179
  • rhsa
    id RHSA-2017:0248
  • rhsa
    id RHSA-2017:0249
  • rhsa
    id RHSA-2017:0272
refmap via4
bid 90902
bugtraq 20160527 [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
confirm
debian DSA-3606
misc http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html
mlist
  • [tika-commits] 20190802 svn commit: r1864259 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ...
  • [www-announce] 20160527 [CVE-2016-2175] Apache PDFBox XML External Entity vulnerability
Last major update 09-10-2018 - 19:59
Published 01-06-2016 - 20:59
Last modified 09-10-2018 - 19:59
Back to Top