Vulnerability Description
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Pdfbox | 2.0.14 |
| Apache | James | 3.3.0 |
| Fedoraproject | Fedora | 29 |
| Oracle | Banking Corporate Lending Process Management | 14.2 |
| Oracle | Banking Credit Facilities Process Management | 14.2 |
| Oracle | Banking Supply Chain Finance | 14.2 |
| Oracle | Banking Trade Finance Process Management | 14.2 |
| Oracle | Banking Virtual Account Management | 14.2 |
| Oracle | Communications Messaging Server | 8.1 |
| Oracle | Communications Session Report Manager | >= 8.0.0.0, <= 8.2.4.0 |
| Oracle | Hyperion Financial Reporting | 11.1.2.4 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Retail Xstore Point Of Service | 16.0.6 |
| Oracle | Webcenter Sites | 12.2.1.3.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c
- https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae17005
- https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f
- https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99
- https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0
- https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.oracle.com//security-alerts/cpujul2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c
- https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae17005
- https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f
FAQ
What is CVE-2019-0228?
CVE-2019-0228 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
How severe is CVE-2019-0228?
CVE-2019-0228 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-0228?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Pdfbox, Apache James, Fedoraproject Fedora, Oracle Banking Corporate Lending Process Management, Oracle Banking Credit Facilities Process Management.