[PDFBOX-4505] CVE-2019-0228: possible XML External Entity (XXE) attack - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.14, 3.0.0 PDFBox
Fix Version/s: 2.0.15, 3.0.0 PDFBox
Component/s: Parsing
Labels:
- CVE-2019-0228

Description

Kurt Boberg of DocuSign reported a possible XML External Entity (XXE) attack. Excerpt from his mail to securty@apache.org

I’m a security researcher at DocuSign. While doing due diligence on PDFBox as a third party component, I found a blind XXE vulnerability in the Stamp annotation FDF parser. The vulnerability is here:

https://github.com/apache/pdfbox/blob/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/fdf/FDFAnnotationStamp.java#L144-L164

You are at the mercy of the Java Runtime parser here (this is a known anti-pattern for interacting with Java’s XML parsing).

As we already have some secure code to avoid such attacks, we simply have to do some DRY-refactoring. Saying that, we should simplifying the code by using XMLUtil for all of them.

Attachments

Activity

People

Assignee:: Andreas Lehmkühler

Reporter:: Andreas Lehmkühler

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 03/Apr/19 17:14

Updated:: 12/Apr/19 14:39

Resolved:: 05/Apr/19 06:13