CVE-2016-2175

CWE-611XML External Entity (XXE)12 documents8 sources
Severity
7.8HIGH
EPSS
3.4%
top 12.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache PdfboxDebian Debian Linux
Timeline
PublishedJun 1
Latest updateOct 17

Description

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.pdfbox:pdfbox2.0.02.0.1+1
NVDapache/pdfbox13 versions+12
Debianlibpdfbox-java< 1:1.8.12-1+3

Also affects: Debian Linux 8.0

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

5
GHSA
High severity vulnerability that affects org.apache.pdfbox:pdfbox2018-10-17
OSV
High severity vulnerability that affects org.apache.pdfbox:pdfbox2018-10-17
GHSA
Apache Tika does not properly initialize the XML parser or choose handlers2018-10-17
CVEList
CVE-2016-2175: Apache PDFBox before 12016-06-01
OSV
CVE-2016-2175: Apache PDFBox before 12016-06-01

📋Vendor Advisories

4
Red Hat
pdfbox: XML External Entity vulnerability2016-05-27
Red Hat
tika: XML External Entity vulnerability2016-05-26
Debian
CVE-2016-2175: libpdfbox-java - Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize th...2016
Apache
Apache tika: CVE-2016-2175

💬Community

2
Bugzilla
CVE-2016-2175 pdfbox: XML External Entity vulnerability2016-05-27
Bugzilla
CVE-2016-2175 pdfbox: XML External Entity vulnerability [fedora-all]2016-05-27
CVE-2016-2175 (HIGH CVSS 7.8) | Apache PDFBox before 1.8.12 and 2.x | cvebase.io