CVE-2024-52800
Potential XXE (XML External Entity Injection) vulnerability in veraPDF CLI
Severity Score
2.3
*CVSS v4
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
System
Vulnerable | Subsequent
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-11-15 CVE Reserved
- 2024-11-29 CVE Published
- 2024-11-30 EPSS Updated
- 2024-11-30 First Exploit
- 2024-12-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/veraPDF/veraPDF-library/issues/1488 | X_refsource_misc | |
| https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-4cx5-89vm-833x | X_refsource_confirm |
| URL | Date | SRC |
|---|---|---|
| https://github.com/JAckLosingHeart/GHSA-4cx5-89vm-833x-POC | 2024-11-30 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| VeraPDF Search vendor "VeraPDF" | VeraPDF-library Search vendor "VeraPDF" for product "VeraPDF-library" | <= 1.26.1 Search vendor "VeraPDF" for product "VeraPDF-library" and version " <= 1.26.1" | en |
Affected
| ||||||