Sign-up

ID

VAR-201904-1550


CVE

CVE-2019-0228


TITLE

Apache PDFBox In XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2019-003486

DESCRIPTION

Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. Apache PDFBox Is XML An external entity vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Attackers can exploit this issue to obtain potentially sensitive information or cause a denial-of-service condition. This may lead to further attacks. Apache PDFBox 2.0.14 is vulnerable

Trust: 2.52

sources: NVD: CVE-2019-0228 // JVNDB: JVNDB-2019-003486 // CNNVD: CNNVD-202104-975 // BID: 107904 // VULMON: CVE-2019-0228

AFFECTED PRODUCTS

vendor:apachemodel:pdfboxscope:eqversion:2.0.14

Trust: 2.1

vendor:oraclemodel:banking virtual account managementscope:eqversion:14.3.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:30

Trust: 1.0

vendor:oraclemodel:banking supply chain financescope:eqversion:14.2

Trust: 1.0

vendor:oraclemodel:banking supply chain financescope:eqversion:14.3

Trust: 1.0

vendor:oraclemodel:communications session report managerscope:lteversion:8.2.4.0

Trust: 1.0

vendor:oraclemodel:retail xstore point of servicescope:eqversion:16.0.6

Trust: 1.0

vendor:oraclemodel:banking credit facilities process managementscope:eqversion:14.2

Trust: 1.0

vendor:oraclemodel:webcenter sitesscope:eqversion:12.2.1.3.0

Trust: 1.0

vendor:oraclemodel:webcenter sitesscope:eqversion:12.2.1.4.0

Trust: 1.0

vendor:oraclemodel:banking credit facilities process managementscope:eqversion:14.3

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.59

Trust: 1.0

vendor:oraclemodel:banking corporate lending process managementscope:eqversion:14.5

Trust: 1.0

vendor:oraclemodel:banking trade finance process managementscope:eqversion:14.5

Trust: 1.0

vendor:oraclemodel:hyperion financial reportingscope:eqversion:11.1.2.4

Trust: 1.0

vendor:oraclemodel:retail xstore point of servicescope:eqversion:17.0

Trust: 1.0

vendor:oraclemodel:banking virtual account managementscope:eqversion:14.5

Trust: 1.0

vendor:oraclemodel:retail xstore point of servicescope:eqversion:18.0.3

Trust: 1.0

vendor:oraclemodel:banking trade finance process managementscope:eqversion:14.3

Trust: 1.0

vendor:oraclemodel:banking corporate lending process managementscope:eqversion:14.2

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:29

Trust: 1.0

vendor:apachemodel:jamesscope:eqversion:3.3.0

Trust: 1.0

vendor:oraclemodel:banking supply chain financescope:eqversion:14.5

Trust: 1.0

vendor:oraclemodel:banking corporate lending process managementscope:eqversion:14.3

Trust: 1.0

vendor:oraclemodel:banking trade finance process managementscope:eqversion:14.2

Trust: 1.0

vendor:oraclemodel:banking virtual account managementscope:eqversion:14.2

Trust: 1.0

vendor:oraclemodel:communications session report managerscope:gteversion:8.0.0.0

Trust: 1.0

vendor:oraclemodel:banking credit facilities process managementscope:eqversion:14.5

Trust: 1.0

vendor:oraclemodel:hyperion financial reportingscope:eqversion:11.2.6.0

Trust: 1.0

vendor:apachemodel:jamesscope:eqversion:3.4.0

Trust: 1.0

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.58

Trust: 1.0

vendor:oraclemodel:communications messaging serverscope:eqversion:8.1

Trust: 1.0

vendor:redhatmodel:jboss fuse service worksscope:eqversion:6.0

Trust: 0.3

vendor:redhatmodel:jboss fusescope:eqversion:6.0

Trust: 0.3

vendor:redhatmodel:jboss fusescope:eqversion:7.0

Trust: 0.3

vendor:apachemodel:pdfboxscope:neversion:2.0.15

Trust: 0.3

sources: BID: 107904 // JVNDB: JVNDB-2019-003486 // NVD: CVE-2019-0228

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-0228
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-0228
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201904-638
value: CRITICAL

Trust: 0.6

VULMON: CVE-2019-0228
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-0228
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2019-0228
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-0228
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2019-0228 // JVNDB: JVNDB-2019-003486 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-201904-638 // NVD: CVE-2019-0228

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.8

sources: JVNDB: JVNDB-2019-003486 // NVD: CVE-2019-0228

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-638

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-003486

PATCH
title:[SECURITY] CVE-2019-0228 Apache PDFBox XML External Entity vulnerabilityurl:https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E
Trust: 0.8
title:Apache PDFBox Fixes for code issue vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91438
Trust: 0.6
title:SkillSearchEngineurl:https://github.com/bluesNbrews/SkillSearchEngine 
Trust: 0.1
title: - url:https://github.com/CGCL-codes/PHunter 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-0228 // 
            
            
            
            JVNDB: JVNDB-2019-003486 // 
            
            
            
            CNNVD: CNNVD-201904-638

EXTERNAL IDS
db:NVDid:CVE-2019-0228
Trust: 2.8
db:OPENWALLid:OSS-SECURITY/2019/04/12/1
Trust: 0.9
db:BIDid:107904
Trust: 0.9
db:JVNDBid:JVNDB-2019-003486
Trust: 0.8
db:CS-HELPid:SB2021041363
Trust: 0.6
db:CNNVDid:CNNVD-202104-975
Trust: 0.6
db:CS-HELPid:SB2021072725
Trust: 0.6
db:CS-HELPid:SB2021042320
Trust: 0.6
db:CS-HELPid:SB2021042642
Trust: 0.6
db:AUSCERTid:ESB-2019.1293
Trust: 0.6
db:CNNVDid:CNNVD-201904-638
Trust: 0.6
db:VULMONid:CVE-2019-0228
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-0228 // 
            
            
            
            BID: 107904 // 
            
            
            
            JVNDB: JVNDB-2019-003486 // 
            
            
            
            CNNVD: CNNVD-202104-975 // 
            
            
            
            CNNVD: CNNVD-201904-638 // 
            
            
            
            NVD: CVE-2019-0228

REFERENCES
url:https://www.oracle.com/security-alerts/cpuapr2021.html
Trust: 2.3
url:https://www.oracle.com/security-alerts/cpuapr2020.html
Trust: 1.7
url:https://www.oracle.com//security-alerts/cpujul2021.html
Trust: 1.7
url:https://www.oracle.com/security-alerts/cpuoct2021.html
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-0228
Trust: 1.4
url:https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd%40%3cserver-dev.james.apache.org%3e
Trust: 1.1
url:https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4%40%3ccommits.tika.apache.org%3e
Trust: 1.1
url:https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c%40%3ccommits.tika.apache.org%3e
Trust: 1.1
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/popoghj5cvmuvcrqu7apban5ivzgzfdx/
Trust: 1.1
url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6hkvptjwzgub4mh4aaowmrjhrdbyfhgj/
Trust: 1.1
url:https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2%40%3cserver-dev.james.apache.org%3e
Trust: 1.1
url:https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d%40%3cusers.pdfbox.apache.org%3e
Trust: 1.1
url:https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79%40%3cusers.pdfbox.apache.org%3e
Trust: 1.1
url:https://pdfbox.apache.org/
Trust: 0.9
url:https://issues.apache.org/jira/browse/pdfbox-4505
Trust: 0.9
url:https://github.com/apache/pdfbox/blob/2.0/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/fdf/fdfannotationstamp.java#l144-l164
Trust: 0.9
url:https://github.com/apache/pdfbox/releases
Trust: 0.9
url:https://bugzilla.redhat.com/show_bug.cgi?id=1699740
Trust: 0.9
url:https://www.openwall.com/lists/oss-security/2019/04/12/1
Trust: 0.9
url:https://access.redhat.com/security/cve/cve-2019-0228
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0228
Trust: 0.8
url:https://www.cybersecurity-help.cz/vdb/sb2021041363
Trust: 0.6
url:https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3ccommits.tika.apache.org%3e
Trust: 0.6
url:https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3cusers.pdfbox.apache.org%3e
Trust: 0.6
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/popoghj5cvmuvcrqu7apban5ivzgzfdx/
Trust: 0.6
url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6hkvptjwzgub4mh4aaowmrjhrdbyfhgj/
Trust: 0.6
url:https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3cusers.pdfbox.apache.org%3e
Trust: 0.6
url:https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3ccommits.tika.apache.org%3e
Trust: 0.6
url:httpd.apache.org/
Trust: 0.6
url:http://
Trust: 0.6
url:https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3cserver-dev.james.apache.org%3e
Trust: 0.6
url:https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3cserver-dev.james.apache.org%3e
Trust: 0.6
url:http://mail-archives.apache.org/mod
Trust: 0.6
url:https://vigilance.fr/vulnerability/apache-pdfbox-external-xml-entity-injection-30277
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affect-apache-solr-shipped-with-ibm-operations-analytics-log-analysis-cve-2019-0228/
Trust: 0.6
url:https://www.cybersecurity-help.cz/vdb/sb2021072725
Trust: 0.6
url:https://www.cybersecurity-help.cz/vdb/sb2021042642
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-workspace-is-affected-by-security-vulnerabilities/
Trust: 0.6
url:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-pdfbox-affects-ibm-control-center-cve-2019-0228/
Trust: 0.6
url:https://www.oracle.com/security-alerts/cpujul2021.html
Trust: 0.6
url:https://www.cybersecurity-help.cz/vdb/sb2021042320
Trust: 0.6
url:https://www.auscert.org.au/bulletins/79094
Trust: 0.6
url:https://www.securityfocus.com/bid/107904
Trust: 0.6
url:http://httpd.apache.org/
Trust: 0.3
url:https://github.com/apache/pdfbox
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/611.html
Trust: 0.1
url:https://tools.cisco.com/security/center/viewalert.x?alertid=60042
Trust: 0.1
url:https://github.com/bluesnbrews/skillsearchengine
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULMON: CVE-2019-0228 // 
            
            
            
            BID: 107904 // 
            
            
            
            JVNDB: JVNDB-2019-003486 // 
            
            
            
            CNNVD: CNNVD-202104-975 // 
            
            
            
            CNNVD: CNNVD-201904-638 // 
            
            
            
            NVD: CVE-2019-0228

CREDITS
Kurt Boberg of DocuSign.
Trust: 0.9
sources:
            
            
            BID: 107904 // 
            
            
            
            CNNVD: CNNVD-201904-638

SOURCES
db:VULMONid:CVE-2019-0228
db:BIDid:107904
db:JVNDBid:JVNDB-2019-003486
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-201904-638
db:NVDid:CVE-2019-0228

LAST UPDATE DATE
2024-11-23T21:31:23.348000+00:00

SOURCES UPDATE DATE
db:VULMONid:CVE-2019-0228date:2023-11-07T00:00:00
db:BIDid:107904date:2019-04-15T00:00:00
db:JVNDBid:JVNDB-2019-003486date:2019-05-17T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-201904-638date:2021-10-21T00:00:00
db:NVDid:CVE-2019-0228date:2024-11-21T04:16:32.607

SOURCES RELEASE DATE
db:VULMONid:CVE-2019-0228date:2019-04-17T00:00:00
db:BIDid:107904date:2019-04-15T00:00:00
db:JVNDBid:JVNDB-2019-003486date:2019-05-17T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-201904-638date:2019-04-15T00:00:00
db:NVDid:CVE-2019-0228date:2019-04-17T15:29:00.703