CVE-2024-28109: veraPDF has potential XSLT injection vulnerability when using policy files
Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.
References
- github.com/advisories/GHSA-qxqf-2mfx-x8jw
- github.com/veraPDF/veraPDF-library
- github.com/veraPDF/veraPDF-library/commit/614ffa477a2cf0819e4b0df1ab133610e0da25fb
- github.com/veraPDF/veraPDF-library/commit/9386ecbe1a1d1fb9e886d19df28851ed07890d9f
- github.com/veraPDF/veraPDF-library/commit/d5314cbdf4e058e0716f80dbdad2dbd8d96e6bfe
- github.com/veraPDF/veraPDF-library/issues/1415
- github.com/veraPDF/veraPDF-library/security/advisories/GHSA-qxqf-2mfx-x8jw
- nvd.nist.gov/vuln/detail/CVE-2024-28109
Code Behaviors & Features
Detect and mitigate CVE-2024-28109 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →