Lucene search

[email protected]NVD:CVE-2024-28109

HistoryMar 28, 2024 - 2:15 p.m.

CVE-2024-28109

2024-03-2814:15:13

CWE-91

[email protected]

web.nvd.nist.gov

cve-2024-28109

pdf/a validation

verapdf-library

policy checks

schematron files

xsl transformation

remote code execution

rce

vulnerability

fixed

1.24.2

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

15.5%

JSON

veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2.

References

github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb

github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f

github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe

github.com/veraPDF/veraPDF-library/issues/1415

github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

Percentile

15.5%

JSON

Related for NVD:CVE-2024-28109

osv2 cve1 github1 veracode1 cvelist1 vulnrichment1