Remote Code Execution Vulnerability in veraPDF-library Could Lead to Security Risks
CVE-2024-28109

8.1HIGH

Key Information:

Vendor: VeraPDF
Status: VeraPDF-library
Vendor: CVE Published:; 28 March 2024

What is CVE-2024-28109?

The veraPDF-library, a specialized tool for PDF/A validation, contains a remote code execution vulnerability due to improper handling of custom schematron files. When executing policy checks, the process may utilize an XSL transformation that can be exploited to execute arbitrary code remotely. This flaw poses significant security risks, especially in environments where PDF/A compliance is critical. Users are strongly advised to upgrade to version 1.24.2, where this issue has been addressed.

Affected Version(s)

veraPDF-library < 1.24.2

References

https://github.com/veraPDF/veraPDF-library/security/advis...

x_refsource_CONFIRM

https://github.com/veraPDF/veraPDF-library/issues/1415

x_refsource_MISC

https://github.com/veraPDF/veraPDF-library/commit/614ffa4...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 28, 2024
Vulnerability Reserved
Mar 4, 2024

VeraPDF

What is CVE-2024-28109?

Affected Version(s)

References

CVSS V3.1

Timeline