CVE-2016-2175

HIGH

Apache PDFBox < 1.8.12 and 2.x < 2.0.1 - XML External Entity Injection

Title source: llm
STIX 2.1

Description

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.

References (12)

Core 12
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0179.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/538503/100/0/threaded
Patch, Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1739564
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/90902
Patch, Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1739565
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0272.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0248.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0249.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3606

Scores

CVSS v3 7.8
EPSS 0.0589
EPSS Percentile 90.7%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (15)
apache/pdfbox 1.8.0
apache/pdfbox 1.8.1
apache/pdfbox 1.8.2
apache/pdfbox 1.8.3
apache/pdfbox 1.8.4
apache/pdfbox 1.8.5
apache/pdfbox 1.8.6
apache/pdfbox 1.8.7
apache/pdfbox 1.8.8
apache/pdfbox 1.8.9
... and 5 more
Published Jun 01, 2016
Tracked Since Feb 18, 2026