CVE-2017-9096 — XML External Entity (XXE) Injection in Itext

CWE-611 — XML External Entity (XXE) Injection8 documents7 sources

Severity

8.8HIGHNVD

EPSS

11.5%

top 6.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Itextpdf Itext

Timeline

PublishedNov 8

Latest updateJun 30

Description

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDitextpdf/itext< 5.5.12+3

🔴Vulnerability Details

GHSA

Improper Restriction of XML External Entity Reference in iText↗2022-05-13

▶

OSV

Improper Restriction of XML External Entity Reference in iText↗2022-05-13

▶

📋Vendor Advisories

Oracle

Oracle Oracle Construction and Engineering Risk Matrix: Platform (iText) — CVE-2017-9096↗2020-10-15

▶

Red Hat

itext: External entities not disabled↗2017-11-06

▶

📄Research Papers

arXiv

Threadbox: Sandboxing for Modular Security↗2025-06-30

▶

💬Community

Bugzilla

CVE-2017-9096 itext: External entities not disabled↗2017-11-14

▶

Bugzilla

CVE-2017-9096 itext: External entities not disabled [fedora-all]↗2017-11-14

▶