################################################################## # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/en/research/advisories/ # ################################################################## # # Product: iText PDF Library # Vendor: iText Group # CVE ID: CVE-2017-9096 # CSNC ID: CSNC-2017-017 # Subject: XML External Entity Attack (XXE) # Risk: Medium # Effect: Remotely exploitable # Author: Benjamin Bruppacher <benjamin.bruppacher@xxxxxxxxxxxxxxxxxxxx> # Date: 2017-11-06 # ################################################################## Introduction: ------------- iText is a software developer toolkit that allows users to integrate PDF functionalities within their applications, processes or products. The used XML parsers inside the library are not configured to disable external entities. This can be used for XML External Entity Attacks[1]. Affected versions: --------- Vulnerable: * 2.0.8 * 5.5.11 * 7.0.2 Not vulnerable: * 5.5.12 * 7.0.3 Technical Description --------------------- The attack can be carried out by submitting a malicious PDF to an iText application that parses XML data. By providing a malicious XXE payloads inside the XML data that resides in the PDF, an attacker can for example extract files or forge requests on the server. Timeline: --------- 2017-05-10: Discovery by Benjamin Bruppacher 2017-05-15: Initial vendor notification 2017-08-01: Vendor releases patch 2017-11-06: Disclosure of the advisory References: ----------- [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing