CVE-2017-9096

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Weakness

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Software

Name	Vendor	Start Version	End Version
Itext	Itextpdf	*	5.5.12 (excluding)
Itext	Itextpdf	7.0.0 (including)	7.0.0 (including)
Itext	Itextpdf	7.0.1 (including)	7.0.1 (including)
Itext	Itextpdf	7.0.2 (including)	7.0.2 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/221.html

References

http://www.securityfocus.com/archive/1/541483/100/0/threaded
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
https://www.oracle.com/security-alerts/cpuoct2020.html
http://www.securityfocus.com/archive/1/541483/100/0/threaded
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
https://www.oracle.com/security-alerts/cpuoct2020.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-9096
CWE	https://cwe.mitre.org/data/definitions/611.html

Improper Restriction of XML External Entity Reference

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References