{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28109", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-04T14:19:14.059Z", "datePublished": "2024-03-28T13:19:39.906Z", "dateUpdated": "2024-08-02T00:48:48.254Z"}, "containers": {"cna": {"title": "Potential XSLT injection vulnerability when using policy files", "problemTypes": [{"descriptions": [{"cweId": "CWE-91", "lang": "en", "description": "CWE-91: XML Injection (aka Blind XPath Injection)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw"}, {"name": "https://github.com/veraPDF/veraPDF-library/issues/1415", "tags": ["x_refsource_MISC"], "url": "https://github.com/veraPDF/veraPDF-library/issues/1415"}, {"name": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb", "tags": ["x_refsource_MISC"], "url": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb"}, {"name": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f", "tags": ["x_refsource_MISC"], "url": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f"}, {"name": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe", "tags": ["x_refsource_MISC"], "url": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe"}], "affected": [{"vendor": "veraPDF", "product": "veraPDF-library", "versions": [{"version": "< 1.24.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-28T13:19:39.906Z"}, "descriptions": [{"lang": "en", "value": "veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2."}], "source": {"advisory": "GHSA-qxqf-2mfx-x8jw", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "verapdf", "product": "verapdf-library", "cpes": ["cpe:2.3:a:verapdf:verapdf-library:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.24.2", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-23T17:57:42.795412Z", "id": "CVE-2024-28109", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T21:06:10.317Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.254Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw"}, {"name": "https://github.com/veraPDF/veraPDF-library/issues/1415", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/veraPDF/veraPDF-library/issues/1415"}, {"name": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb"}, {"name": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f"}, {"name": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw", "name": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/veraPDF/veraPDF-library/issues/1415", "name": "https://github.com/veraPDF/veraPDF-library/issues/1415", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb", "name": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f", "name": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe", "name": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:48.254Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28109", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-23T17:57:42.795412Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:verapdf:verapdf-library:*:*:*:*:*:*:*:*"], "vendor": "verapdf", "product": "verapdf-library", "versions": [{"status": "affected", "version": "0", "lessThan": "1.24.2", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T19:07:57.212Z"}}], "cna": {"title": "Potential XSLT injection vulnerability when using policy files", "source": {"advisory": "GHSA-qxqf-2mfx-x8jw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "veraPDF", "product": "veraPDF-library", "versions": [{"status": "affected", "version": "< 1.24.2"}]}], "references": [{"url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw", "name": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/veraPDF/veraPDF-library/issues/1415", "name": "https://github.com/veraPDF/veraPDF-library/issues/1415", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb", "name": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f", "name": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe", "name": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-91", "description": "CWE-91: XML Injection (aka Blind XPath Injection)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-28T13:19:39.906Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28109", "state": "PUBLISHED", "dateUpdated": "2024-08-02T00:48:48.254Z", "dateReserved": "2024-03-04T14:19:14.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-28T13:19:39.906Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "veraPDF-library is a PDF/A validation library. Executing policy checks using custom schematron files invokes an XSL transformation that could lead to a remote code execution (RCE) vulnerability. This vulnerability is fixed in 1.24.2."}, {"lang": "es", "value": "veraPDF-library es una librer\u00eda de validaci\u00f3n de PDF/A. La ejecuci\u00f3n de comprobaciones de pol\u00edticas utilizando archivos de esquema personalizados invoca una transformaci\u00f3n XSL que podr\u00eda provocar una vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo (RCE). Esta vulnerabilidad se solucion\u00f3 en 1.24.2."}], "id": "CVE-2024-28109", "lastModified": "2024-03-28T16:07:30.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-03-28T14:15:13.863", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb"}, {"source": "security-advisories@github.com", "url": "https://github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f"}, {"source": "security-advisories@github.com", "url": "https://github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe"}, {"source": "security-advisories@github.com", "url": "https://github.com/veraPDF/veraPDF-library/issues/1415"}, {"source": "security-advisories@github.com", "url": "https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-91"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}