https://bugzilla.redhat.com/show_bug.cgi?id=1512827
Bug ID: 1512827 Summary: CVE-2017-9096 itext: External entities not disabled Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: alazarot@redhat.com, andjrobins@gmail.com, anstephe@redhat.com, etirelli@redhat.com, ibek@redhat.com, java-sig-commits@lists.fedoraproject.org, kverlaen@redhat.com, lef@fedoraproject.org, lpetrovi@redhat.com, oget.fedora@gmail.com, paradhya@redhat.com, pavelp@redhat.com, pszubiak@redhat.com, puntogil@libero.it, rrajasek@redhat.com, rsynek@redhat.com, rzhang@redhat.com, sdaley@redhat.com
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
External References:
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2...