CVE-2017-9096
XML External Entity (XXE) vulnerability in itextpdf (Maven)
What is CVE-2017-9096 About?
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 are vulnerable to XML External Entity (XXE) attacks. This is due to their failure to disable external entities when parsing XML. Attackers can exploit this via crafted PDFs to read local files or initiate network requests.
Affected Software
- com.itextpdf:itextpdf
- >7.0.0, <7.0.3
- <5.5.12
- com.lowagie:itext
- <=4.2.2
Technical Details
iText versions prior to 5.5.12 and 7.x prior to 7.0.3 utilize XML parsers that do not explicitly disable the processing of external entities. When a specially crafted PDF document is supplied, it can embed an XML structure containing an external entity declaration (e.g., <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>). When the iText library processes this PDF and its embedded XML, the parser resolves the external entity, fetching content from the specified SYSTEM identifier. This allows an attacker to read arbitrary local files (like /etc/passwd), perform server-side request forgery (SSRF) by making the server connect to internal or external network resources, or potentially execute remote code if XML processing involves vulnerable integrations.
What is the Impact of CVE-2017-9096?
Successful exploitation may allow attackers to read arbitrary local files, perform server-side request forgery (SSRF), or potentially initiate denial-of-service attacks.
What is the Exploitability of CVE-2017-9096?
Exploitation of this XXE vulnerability has moderate complexity. An attacker must create a specially crafted PDF file containing an XML external entity payload. No authentication or specific privileges are required on the target system; exploitation occurs when an application using the vulnerable iText library parses the malicious PDF. This is a remote vulnerability if the application accepts and processes PDFs from untrusted sources (e.g., uploads, email attachments) without sanitization. The likelihood of exploitation increases in environments where user-supplied PDFs are processed automatically or without strict XML entity parsing restrictions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| jakabakos | Link | PoC for CVE-2017-9096 |
What are the Available Fixes for CVE-2017-9096?
Available Upgrade Options
- com.itextpdf:itextpdf
- <5.5.12 → Upgrade to 5.5.12
- com.itextpdf:itextpdf
- >7.0.0, <7.0.3 → Upgrade to 7.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- http://www.securityfocus.com/archive/1/541483/100/0/threaded
- https://nvd.nist.gov/vuln/detail/CVE-2017-9096
- https://osv.dev/vulnerability/GHSA-86p9-x5pw-94qx
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://www.securityfocus.com/archive/1/541483/100/0/threaded
- https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2017-017_itext_xml_external_entity_attack.txt
What are Similar Vulnerabilities to CVE-2017-9096?
Similar Vulnerabilities: CVE-2017-1000000 , CVE-2018-12499 , CVE-2019-13012 , CVE-2020-25695 , CVE-2021-21396
