CVE-2024-28109 Potential XSLT injection vulnerability when using policy files

2024-03-2813:19:39

CWE-91

GitHub_M

www.cve.org

cve-2024-28109

xslt injection

policy files

verapdf-library

pdf/a validation

rce vulnerability

remote code execution

fixed vulnerability

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

15.5%

JSON

veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2.

CNA Affected

[
  {
    "vendor": "veraPDF",
    "product": "veraPDF-library",
    "versions": [
      {
        "version": "< 1.24.2",
        "status": "affected"
      }
    ]
  }
]