Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-0228

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Published

2019-04-17T15:29:00.703

Last Modified

2024-11-21T04:16:32.607

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

10.0

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-611
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache pdfbox 2.0.14 Yes
Application apache james 3.3.0 Yes
Application apache james 3.4.0 Yes
Operating System fedoraproject fedora 29 Yes
Operating System fedoraproject fedora 30 Yes
Application oracle banking_corporate_lending_process_management 14.2 Yes
Application oracle banking_corporate_lending_process_management 14.3 Yes
Application oracle banking_corporate_lending_process_management 14.5 Yes
Application oracle banking_credit_facilities_process_management 14.2 Yes
Application oracle banking_credit_facilities_process_management 14.3 Yes
Application oracle banking_credit_facilities_process_management 14.5 Yes
Application oracle banking_supply_chain_finance 14.2 Yes
Application oracle banking_supply_chain_finance 14.3 Yes
Application oracle banking_supply_chain_finance 14.5 Yes
Application oracle banking_trade_finance_process_management 14.2 Yes
Application oracle banking_trade_finance_process_management 14.3 Yes
Application oracle banking_trade_finance_process_management 14.5 Yes
Application oracle banking_virtual_account_management 14.2 Yes
Application oracle banking_virtual_account_management 14.3.0 Yes
Application oracle banking_virtual_account_management 14.5 Yes
Application oracle communications_messaging_server 8.1 Yes
Application oracle communications_session_report_manager ≤ 8.2.4.0 Yes
Application oracle hyperion_financial_reporting 11.1.2.4 Yes
Application oracle hyperion_financial_reporting 11.2.6.0 Yes
Application oracle peoplesoft_enterprise_peopletools 8.58 Yes
Application oracle peoplesoft_enterprise_peopletools 8.59 Yes
Application oracle retail_xstore_point_of_service 16.0.6 Yes
Application oracle retail_xstore_point_of_service 17.0 Yes
Application oracle retail_xstore_point_of_service 18.0.3 Yes
Application oracle webcenter_sites 12.2.1.3.0 Yes
Application oracle webcenter_sites 12.2.1.4.0 Yes
Operating System oracle communications_messaging_server 8.1 Yes
References