Headline
GHSA-qxqf-2mfx-x8jw: veraPDF has potential XSLT injection vulnerability when using policy files
Impact
Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.
Patches
This has been patched and users should upgrade to veraPDF v1.24.2
Workarounds
This doesn’t affect the standard validation and policy checks functionality, veraPDF’s common use cases. Most veraPDF users don’t insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.
References
Original issue: https://github.com/veraPDF/veraPDF-library/issues/1415
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-28109
veraPDF has potential XSLT injection vulnerability when using policy files
High severity GitHub Reviewed Published Mar 28, 2024 in veraPDF/veraPDF-library • Updated May 20, 2024
Package
maven org.verapdf:core (Maven)
Affected versions
< 1.24.2
maven org.verapdf:core-arlington (Maven)
maven org.verapdf:core-jakarta (Maven)
maven org.verapdf:library (Maven)
maven org.verapdf:library-arlington (Maven)
maven org.verapdf:library-jakarta (Maven)
Description
Published to the GitHub Advisory Database
May 20, 2024
Last updated
May 20, 2024