GitHub_MVULNRICHMENT:CVE-2024-28109CVE-2024-28109 Potential XSLT injection vulnerability when using policy files
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
total
veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:verapdf:verapdf-library:*:*:*:*:*:*:*:*"
],
"vendor": "verapdf",
"product": "verapdf-library",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "1.24.2",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]References
github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb
github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f
github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe
github.com/veraPDF/veraPDF-library/issues/1415
github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
total