Vulnerabilities > CVE-2019-0228 - XXE vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
fedoraproject
oracle
CWE-611
critical
nessus

Summary

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Vulnerable Configurations

Part Description Count
Application
Apache
3
Application
Oracle
33
OS
Fedoraproject
2
OS
Oracle
1

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-9E91AFA2BE.NASL
    descriptionUpdate to 2.0.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128625
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128625
    titleFedora 30 : pdfbox (2019-9e91afa2be)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-6FA01D12B4.NASL
    descriptionUpdate to 2.0.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128624
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128624
    titleFedora 29 : pdfbox (2019-6fa01d12b4)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-88F53A7433.NASL
    descriptionUpdate to 2.0.16 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129630
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129630
    titleFedora 31 : pdfbox (2019-88f53a7433)

References