CVE-2017-9096
published 2017-11-08CVE-2017-9096: The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity…
PriorityP352high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
9.90%
95.0th percentile
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| itextpdf | itext | < 5.5.12 | 5.5.12 |
| itextpdf | itext | — | — |
| itextpdf | itext | — | — |
| itextpdf | itext | — | — |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_oracle8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Construction and Engineering Risk Matrix: Platform (iText) — CVE-2017-9096
vendor_oracle·2020-10-15·CVSS 8.8
CVE-2017-9096 [HIGH] Oracle Oracle Construction and Engineering Risk Matrix: Platform (iText) — CVE-2017-9096
Oracle Oracle Construction and Engineering Risk Matrix: Platform (iText) vulnerability
CVE: CVE-2017-9096
CVSS: 8.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2020 (OCT 2020)
Red Hat
itext: External entities not disabled
vendor_redhat·2017-11-06·CVSS 8.8
CVE-2017-9096 [HIGH] CWE-611 itext: External entities not disabled
itext: External entities not disabled
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Package: itext (Red Hat BPM Suite 6) - Not affected
Package: itext (Red Hat JBoss BRMS 6) - Not affected
Package: itext (Red Hat JBoss Enterprise Application Platform 5) - Will not fix
Package: itext (Red Hat JBoss SOA Platform 5) - Will not fix
GHSA
Improper Restriction of XML External Entity Reference in iText
ghsa·2022-05-13
CVE-2017-9096 [HIGH] CWE-611 Improper Restriction of XML External Entity Reference in iText
Improper Restriction of XML External Entity Reference in iText
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
OSV
Improper Restriction of XML External Entity Reference in iText
osv·2022-05-13
CVE-2017-9096 [HIGH] Improper Restriction of XML External Entity Reference in iText
Improper Restriction of XML External Entity Reference in iText
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
No detection rules found.
No public exploits indexed.
arXiv
Threadbox: Sandboxing for Modular Security
arxiv_fulltext·2025-06-30
Threadbox: Sandboxing for Modular Security
Threadbox: Sandboxing for Modular Security
Maysara Alhindi
University of Bristol
Bristol, UK
[email protected]
Joseph Hallett
University of Bristol
Bristol, UK
[email protected]
## Abstract
There are many sandboxing mechanisms provided by operating systems to limit what resources applications can access, however, sometimes the use of these mechanisms requires developers to refactor their code to fit the sandboxing model. In this work, we investigate what makes existing sandboxing mechanisms challenging to apply to certain types of applications, and propose Threadbox, a sandboxing mechanism that enables having modular and independent sandboxes, and can be applied to threads and sandbox specific functions. We present case studies to illustrate the applicability
Bugzilla
CVE-2017-9096 itext: External entities not disabled
bugzilla·2017-11-14·CVSS 8.8
CVE-2017-9096 [HIGH] CVE-2017-9096 itext: External entities not disabled
CVE-2017-9096 itext: External entities not disabled
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
External References:
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
Discussion:
Created itext tracking bugs for this issue:
Affects: fedora-all [bug 1512828]
Bugzilla
CVE-2017-9096 itext: External entities not disabled [fedora-all]
bugzilla·2017-11-14·CVSS 8.8
CVE-2017-9096 [HIGH] CVE-2017-9096 itext: External entities not disabled [fedora-all]
CVE-2017-9096 itext: External entities not disabled [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. W
http://www.securityfocus.com/archive/1/541483/100/0/threadedhttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_ushttps://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txthttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttp://www.securityfocus.com/archive/1/541483/100/0/threadedhttps://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_ushttps://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txthttps://www.oracle.com/security-alerts/cpuoct2020.html
2017-11-08
Published