Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-4505

CVE-2019-0228: possible XML External Entity (XXE) attack

    XMLWordPrintableJSON

    Details

      Description

      Kurt Boberg of DocuSign reported a possible XML External Entity (XXE) attack. Excerpt from his mail to securty@apache.org

      I’m a security researcher at DocuSign. While doing due diligence on PDFBox as a third party component, I found a blind XXE vulnerability in the Stamp annotation FDF parser. The vulnerability is here:

      https://github.com/apache/pdfbox/blob/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/fdf/FDFAnnotationStamp.java#L144-L164

      You are at the mercy of the Java Runtime parser here (this is a known anti-pattern for interacting with Java’s XML parsing).

      As we already have some secure code to avoid such attacks, we simply have to do some DRY-refactoring. Saying that, we should simplifying the code by using XMLUtil for all of them.

        Attachments

          Activity

            People

            • Assignee:
              lehmi Andreas Lehmkühler
              Reporter:
              lehmi Andreas Lehmkühler
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: