GHSA-4cx5-89vm-833x

Suggest an improvement
Source
https://github.com/advisories/GHSA-4cx5-89vm-833x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-4cx5-89vm-833x/GHSA-4cx5-89vm-833x.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4cx5-89vm-833x
Aliases
  • CVE-2024-52800
Published
2024-12-02T17:15:24Z
Modified
2024-12-23T17:24:55.631765Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability
Details

Impact

Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.

Patches

We are currently working on a patch that will be released when ready.

Workarounds

This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.

References

Original issue: #1488

Database specific
{
    "nvd_published_at": "2024-11-29T19:15:08Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-02T17:15:24Z"
}
References

Affected packages

Maven / org.verapdf:core

Package

Name
org.verapdf:core
View open source insights on deps.dev
Purl
pkg:maven/org.verapdf/core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.2

Affected versions

1.*

1.4.1
1.6.1
1.6.2
1.8.1
1.10.1
1.10.2
1.10.3
1.12.1
1.14.1-RC
1.14.2-RC
1.14.3-RC
1.14.6-RC
1.14.100
1.14.101
1.14.102
1.14.103
1.14.105
1.16.1
1.18.2
1.18.3
1.18.11
1.20.1
1.20.2
1.22.1
1.22.2
1.24.1
1.24.2
1.26.1

Database specific

{
    "last_known_affected_version_range": "<= 1.26.1"
}

Maven / org.verapdf:core-jakarta

Package

Name
org.verapdf:core-jakarta
View open source insights on deps.dev
Purl
pkg:maven/org.verapdf/core-jakarta

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.2

Affected versions

1.*

1.24.1
1.24.2
1.26.1

Database specific

{
    "last_known_affected_version_range": "<= 1.26.1"
}

Maven / org.verapdf:core-arlington

Package

Name
org.verapdf:core-arlington
View open source insights on deps.dev
Purl
pkg:maven/org.verapdf/core-arlington

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.2

Database specific

{
    "last_known_affected_version_range": "<= 1.26.1"
}

Maven / org.verapdf:verapdf.library

Package

Name
org.verapdf:verapdf.library
View open source insights on deps.dev
Purl
pkg:maven/org.verapdf/verapdf.library

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.2

Database specific

{
    "last_known_affected_version_range": "<= 1.26.1"
}

Maven / org.verapdf:verapdf-library-jakarta

Package

Name
org.verapdf:verapdf-library-jakarta
View open source insights on deps.dev
Purl
pkg:maven/org.verapdf/verapdf-library-jakarta

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.2

Affected versions

1.*

1.24.1
1.24.2
1.26.1

Database specific

{
    "last_known_affected_version_range": "<= 1.26.1"
}

Maven / org.verapdf:verapdf-library-arlington

Package

Name
org.verapdf:verapdf-library-arlington
View open source insights on deps.dev
Purl
pkg:maven/org.verapdf/verapdf-library-arlington

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.26.2

Database specific

{
    "last_known_affected_version_range": "<= 1.26.1"
}