Vulnerability Name: CVE-2019-0228 (CCN-160868) Assigned: 2018-11-14 Published: 2019-04-12 Updated: 2022-04-29 Summary: Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-611 Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2019-0228 apache-cve20190228-info-disc(160868) CVE-2019-0228: Apache PDFBox XML External Entity vulnerability https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E [tika-commits] 20190802 svn commit: r1864252 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ... [james-server-dev] 20190708 [jira] [Created] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228 [tika-commits] 20190802 svn commit: r1864251 [1/17] - in /tika/site: publish/ publish/1.10/ publish/1.11/ publish/1.12/ publish/1.13/ publish/1.14/ publish/1.15/ publish/1.16/ publish/1.17/ publish/1.18/ publish/1.19.1/ publish/1.19/ publish/1.20/ publish/1.21/ publish/1.22/ ... [pdfbox-users] 20210120 Security Vulnerability with PDFbox 1.8.16 [james-server-dev] 20200618 [jira] [Closed] (JAMES-2819) Upgrade pdfbox following CVE-2019-0228 FEDORA-2019-6fa01d12b4 FEDORA-2019-9e91afa2be Apache PDFBox Vulnerability in Apache PDFBox Affects IBM Control Center (CVE-2019-0228) IBM Planning Analytics Workspace is affected by security vulnerabilities Vulnerability in Apache PDFBox affect Apache Solr shipped with IBM Operations Analytics - Log Analysis (CVE-2019-0228) N/A N/A Oracle Critical Patch Update Advisory - April 2021 https://www.oracle.com/security-alerts/cpuApr2021.html Oracle Critical Patch Update Advisory - July 2021 https://www.oracle.com/security-alerts/cpuoct2021.html CVE-2019-0228 Vulnerable Configuration: Configuration 1 :cpe:/a:apache:pdfbox:2.0.14:*:*:*:*:*:*:* Configuration 2 :cpe:/a:apache:james:3.3.0:*:*:*:*:*:*:* OR cpe:/a:apache:james:3.4.0:*:*:*:*:*:*:* Configuration 3 :cpe:/o:fedoraproject:fedora:29:*:*:*:*:*:*:* OR cpe:/o:fedoraproject:fedora:30:*:*:*:*:*:*:* Configuration 4 :cpe:/a:oracle:banking_corporate_lending_process_management:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_corporate_lending_process_management:14.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_credit_facilities_process_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:14.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_supply_chain_finance:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.3:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_trade_finance_process_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.2:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:banking_virtual_account_management:14.5:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.2.4.0) OR cpe:/a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:* OR cpe:/a:oracle:hyperion_financial_reporting:11.2.6.0:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:webcenter_sites:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:pdfbox:2.0.14:*:*:*:*:*:*:* AND cpe:/a:ibm:control_center:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:planning_analytics_local:2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:* Oval Definitions BACK
apache pdfbox 2.0.14
apache james 3.3.0
apache james 3.4.0
fedoraproject fedora 29
fedoraproject fedora 30
oracle banking corporate lending process management 14.2
oracle banking corporate lending process management 14.3
oracle banking corporate lending process management 14.5
oracle banking credit facilities process management 14.2
oracle banking credit facilities process management 14.3
oracle banking credit facilities process management 14.5
oracle banking supply chain finance 14.2
oracle banking supply chain finance 14.3
oracle banking supply chain finance 14.5
oracle banking trade finance process management 14.2
oracle banking trade finance process management 14.3
oracle banking trade finance process management 14.5
oracle banking virtual account management 14.2
oracle banking virtual account management 14.3.0
oracle banking virtual account management 14.5
oracle communications messaging server 8.1
oracle communications session report manager *
oracle hyperion financial reporting 11.1.2.4
oracle hyperion financial reporting 11.2.6.0
oracle peoplesoft enterprise peopletools 8.58
oracle peoplesoft enterprise peopletools 8.59
oracle retail xstore point of service 16.0.6
oracle retail xstore point of service 17.0
oracle retail xstore point of service 18.0.3
oracle webcenter sites 12.2.1.3.0
oracle webcenter sites 12.2.1.4.0
oracle communications messaging server 8.1
apache pdfbox 2.0.14
ibm control center 6.0
ibm control center 6.1
ibm planning analytics local 2.0
ibm log analysis 1.3.1
ibm log analysis 1.3.2
ibm log analysis 1.3.3
ibm log analysis 1.3.4
ibm log analysis 1.3.5
ibm log analysis 1.3.6
Denotes that component is vulnerable