Home > Vulnerability Database > CVE-2024-52800

Mend.io Vulnerability Database

CVE-2024-52800

Good to know:

Date: November 29, 2024

veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available.

Language: Java

Severity Score

6.5

Related Resources (5)

Url: https://github.com/veraPDF/veraPDF-library/issues/1488

Url: https://github.com/veraPDF/veraPDF-library

Url: https://github.com/veraPDF/veraPDF-library/security/advisories/GHSA-4cx5-89vm-833x

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-52800

Url: https://www.mend.io/vulnerability-database/CVE-2024-52800

Severity Score

6.5

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

Top Fix

Upgrade Version

Upgrade to version org.verapdf:core:1.26.2;org.verapdf:core-jakarta:1.26.2;org.verapdf:verapdf-library:1.26.2;org.verapdf:verapdf-library-jakarta:1.26.2

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-52800

Good to know:

Date: November 29, 2024

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?