CVE-2019-0228

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.

Published: Apr 17, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-0228
GHSA: GHSA-c9jj-3wvg-q65h
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
apache / pdfbox	2.0.14	2.0.14.x
apache / james	3.4.0	3.4.0.x
apache / james	3.3.0	3.3.0.x
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x
oracle / hyperion_financial_reporting	11.1.2.4	11.1.2.4.x
oracle / webcenter_sites	12.2.1.3.0	12.2.1.3.0.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / webcenter_sites	12.2.1.4.0	12.2.1.4.0.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
oracle / banking_virtual_account_management	14.3.0	14.3.0.x
oracle / communications_messaging_server	8.1	8.1.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / retail_xstore_point_of_service	16.0.6	16.0.6.x
oracle / retail_xstore_point_of_service	18.0.3	18.0.3.x
oracle / hyperion_financial_reporting	11.2.6.0	11.2.6.0.x
oracle / banking_trade_finance_process_management	14.2	14.2.x
oracle / banking_trade_finance_process_management	14.3	14.3.x
oracle / banking_trade_finance_process_management	14.5	14.5.x
oracle / banking_credit_facilities_process_management	14.2	14.2.x
oracle / banking_credit_facilities_process_management	14.3	14.3.x
oracle / banking_credit_facilities_process_management	14.5	14.5.x
oracle / banking_corporate_lending_process_management	14.2	14.2.x
oracle / banking_corporate_lending_process_management	14.3	14.3.x
oracle / banking_corporate_lending_process_management	14.5	14.5.x
oracle / banking_supply_chain_finance	14.2	14.2.x
oracle / banking_supply_chain_finance	14.3	14.3.x
oracle / banking_supply_chain_finance	14.5	14.5.x
oracle / banking_virtual_account_management	14.2	14.2.x
oracle / banking_virtual_account_management	14.5	14.5.x
oracle / communications_session_report_manager	8.0.0.0	8.2.4.0.x
org.apache.pdfbox / pdfbox	2.0.14	2.0.15

Vulnerability Database

289,599

CVE-2019-0228