You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Danny Trunk (Jira)" <ji...@apache.org> on 2023/06/22 11:57:00 UTC
[jira] [Created] (OFBIZ-12832) Replace iText due to CVE-2017-9096
Danny Trunk created OFBIZ-12832:
-----------------------------------
Summary: Replace iText due to CVE-2017-9096
Key: OFBIZ-12832
URL: https://issues.apache.org/jira/browse/OFBIZ-12832
Project: OFBiz
Issue Type: Task
Affects Versions: 18.12.08
Reporter: Danny Trunk
Not sure if OFBiz is affected here but might be better to just get rid of that library. Also because of [OFBIZ-10455|https://issues.apache.org/jira/browse/OFBIZ-10455].
*CVE-2017-9096* (OSSINDEX)
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
CWE-611 Improper Restriction of XML External Entity Reference
CVSSv3:
* Base Score: HIGH (8.8)
* Vector: CVSS:/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
* OSSINDEX - [[CVE-2017-9096] CWE-611: Improper Restriction of XML External Entity Reference ('XXE')|https://ossindex.sonatype.org/vulnerability/CVE-2017-9096?component-type=maven&component-name=com.lowagie%2Fitext&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1]
* OSSIndex - [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9096]
* OSSIndex - [https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt]
* OSSIndex - [https://www.securityfocus.com/archive/1/archive/1/541483/100/0/threaded]
Vulnerable Software & Versions (OSSINDEX):
* cpe:2.3:a:com.lowagie:itext:2.1.7:*:*:*:*:*:*:*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)