Input validation error in PDFBox
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-2175 |
| CWE-ID | CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
PDFBox Universal components / Libraries / Libraries used by multiple products Debian Linux Operating systems & Components / Operating system |
| Vendor |
Apache Foundation Debian |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU40255
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-2175
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF. <a href="http://cwe.mitre.org/data/definitions/611.html">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
MitigationInstall update from vendor's website.
Vulnerable software versionsPDFBox: 1.8.0 - 2.0
Debian Linux: 1.8.0 - 8.0
CPE2.3- cpe:2.3:a:apache_foundation:pdfbox:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:pdfbox:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:pdfbox:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:1.8.2:*:*:*:*:*:*:*
http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf-f86b-4688-37b5-615c080291d8@apache.org%3E
http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html
http://rhn.redhat.com/errata/RHSA-2017-0179.html
http://rhn.redhat.com/errata/RHSA-2017-0248.html
http://rhn.redhat.com/errata/RHSA-2017-0249.html
http://rhn.redhat.com/errata/RHSA-2017-0272.html
http://svn.apache.org/viewvc?view=revision&revision=1739564
http://svn.apache.org/viewvc?view=revision&revision=1739565
http://www.debian.org/security/2016/dsa-3606
http://www.securityfocus.com/archive/1/538503/100/0/threaded
http://www.securityfocus.com/bid/90902
http://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e84f5a31477f54@%3Ccommits.tika.apache.org%3E
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
