CVE-2024-28109

veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb
https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f
https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe
https://github.com/veraPDF/veraPDF-library/issues/1415
https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw
https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb
https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f
https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe
https://github.com/veraPDF/veraPDF-library/issues/1415
https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw

Configurations

No configuration.

History

21 Nov 2024, 09:05

Type	Values Removed	Values Added
Summary		(es) veraPDF-library es una librería de validación de PDF/A. La ejecución de comprobaciones de políticas utilizando archivos de esquema personalizados invoca una transformación XSL que podría provocar una vulnerabilidad de ejecución remota de código (RCE). Esta vulnerabilidad se solucionó en 1.24.2.
References	~~() https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb -~~	() https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb -
References	~~() https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f -~~	() https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f -
References	~~() https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe -~~	() https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe -
References	~~() https://github.com/veraPDF/veraPDF-library/issues/1415 -~~	() https://github.com/veraPDF/veraPDF-library/issues/1415 -
References	~~() https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw -~~	() https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw -

28 Mar 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-28 14:15

Updated : 2024-11-21 09:05

NVD link : CVE-2024-28109

Mitre link : CVE-2024-28109

CVE.ORG link : CVE-2024-28109

JSON object : View

Products Affected

No product.

CWE

CWE-91

XML Injection (aka Blind XPath Injection)

8.1 /10