Vulnerability Details : CVE-2016-2175
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2016-2175
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:pdfbox:1.8.8:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-2175
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2175
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
References for CVE-2016-2175
-
https://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e84f5a31477f54@%3Ccommits.tika.apache.org%3E
svn commit: r1864259 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publ
-
http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html
Apache PDFBox 1.8.11 / 2.0.0 / XML Injection ≈ Packet Storm
-
http://svn.apache.org/viewvc?view=revision&revision=1739564
[Apache-SVN] Revision 1739564Patch;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0179.html
RHSA-2017:0179 - Security Advisory - Red Hat Customer Portal
-
http://svn.apache.org/viewvc?view=revision&revision=1739565
[Apache-SVN] Revision 1739565Patch;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0248.html
RHSA-2017:0248 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2016/dsa-3606
Debian -- Security Information -- DSA-3606-1 libpdfbox-javaThird Party Advisory
-
http://www.securityfocus.com/bid/90902
Apache PDFBox CVE-2016-2175 XML External Entity Injection Vulnerability
-
http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf-f86b-4688-37b5-615c080291d8@apache.org%3E
[CVE-2016-2175] Apache PDFBox XML External Entity vulnerabilityMailing List
-
http://www.securityfocus.com/archive/1/538503/100/0/threaded
SecurityFocus
-
http://rhn.redhat.com/errata/RHSA-2017-0249.html
RHSA-2017:0249 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2017-0272.html
RHSA-2017:0272 - Security Advisory - Red Hat Customer Portal
Jump to