CVE-2016-2175

high-risk

Published 2016-06-01

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.

Do I need to act?

3.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (17)

Pdfbox

Debian Linux

Pdfbox

Affected Vendors

Debian Apache

References (24)

http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf...

http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injec...

http://rhn.redhat.com/errata/RHSA-2017-0179.html

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0272.html

Patch http://svn.apache.org/viewvc?view=revision&revision=1739564

Patch http://svn.apache.org/viewvc?view=revision&revision=1739565

Third Party Advisory http://www.debian.org/security/2016/dsa-3606

http://www.securityfocus.com/archive/1/538503/100/0/threaded

http://www.securityfocus.com/bid/90902

https://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e...

http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf...

http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injec...

http://rhn.redhat.com/errata/RHSA-2017-0179.html

http://rhn.redhat.com/errata/RHSA-2017-0248.html

http://rhn.redhat.com/errata/RHSA-2017-0249.html

http://rhn.redhat.com/errata/RHSA-2017-0272.html

Patch http://svn.apache.org/viewvc?view=revision&revision=1739564

Patch http://svn.apache.org/viewvc?view=revision&revision=1739565

and 4 more references

/ 100

high-risk

Severity 24/34 · High

Exploitability 7/34 · Low

Exposure 19/34 · Moderate