GoogleOSV:GHSA-QXQF-2MFX-X8JWveraPDF has potential XSLT injection vulnerability when using policy files
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%
Impact
Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.
Patches
This has been patched and users should upgrade to veraPDF v1.24.2
Workarounds
This doesn’t affect the standard validation and policy checks functionality, veraPDF’s common use cases. Most veraPDF users don’t insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.
References
Original issue: <https://github.com/veraPDF/veraPDF-library/issues/1415>
References
github.com/veraPDF/veraPDF-library
github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb
github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f
github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe
github.com/veraPDF/veraPDF-library/issues/1415
github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw
nvd.nist.gov/vuln/detail/CVE-2024-28109
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%