CVE-2019-0228
Vulnerability that affects org.apache.pdfbox:pdfbox
9.8
CRITICAL
CVSS 3.1
EPSS 13.0%
Description
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
How to fix CVE-2019-0228
To remediate CVE-2019-0228, upgrade the affected package to a fixed version below.
- Maven/org.apache.pdfbox:pdfbox—upgrade to 2.0.15 or later
Is CVE-2019-0228 being exploited?
Moderate — EPSS is 13.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 2.0.14, < 2.0.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (14)
- ADVISORYgithub.com/advisories/GHSA-c9jj-3wvg-q65h
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-0228
- WEBlists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E
- WEBlists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3Ccommits.tika.apache.org%3E