{"id":"CVE-2016-2175","details":"Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.","aliases":["GHSA-4c32-xmgj-2g98"],"modified":"2026-04-16T12:00:10.631534Z","published":"2016-06-01T20:59:01.747Z","related":["openSUSE-SU-2024:10208-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:apache:pdfbox:2.0:rc1:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"2.0-rc1"}]},{"cpe":"cpe:2.3:a:apache:pdfbox:2.0:rc2:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"2.0-rc2"}]},{"cpe":"cpe:2.3:a:apache:pdfbox:2.0:rc3:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"2.0-rc3"}]},{"cpe":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"}]}]},"references":[{"type":"WEB","url":"http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf-f86b-4688-37b5-615c080291d8%40apache.org%3E"},{"type":"WEB","url":"http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html"},{"type":"WEB","url":"http://www.securityfocus.com/archive/1/538503/100/0/threaded"},{"type":"WEB","url":"http://www.securityfocus.com/bid/90902"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e84f5a31477f54%40%3Ccommits.tika.apache.org%3E"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0179.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0248.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0249.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0272.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3606"},{"type":"FIX","url":"http://svn.apache.org/viewvc?view=revision&revision=1739564"},{"type":"FIX","url":"http://svn.apache.org/viewvc?view=revision&revision=1739565"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/pdfbox","events":[{"introduced":"0"},{"last_affected":"cc7eeb2147fa787468542bc8a577fe35c19c0473"},{"last_affected":"df408e9a28d668ea3cbb9f9656cdfc541c437bb4"},{"last_affected":"2b8d37ebb43750a82575f0fb3f137739db2ade73"},{"last_affected":"2a29f8e55653f54dc46ea9eddacbb5a52f523964"},{"last_affected":"32e458545c32312ee4d73912de159694a012e933"},{"last_affected":"6e177c78b9557ce15f22cc7ba48906c86d30b2e4"},{"last_affected":"98aa3f2e33aae00b15c6ca6ab56382960cf05a79"},{"last_affected":"48ba8b28ba8b7743c8608b368b521c1f97abc118"},{"last_affected":"6d478f0e228563ad5a713b035767a59e0e8f85ff"},{"last_affected":"a6cb7b07997b0e324708cb73d1b224f8ebe60c0b"},{"last_affected":"62e41dde57c9caf5598ba365a2816080383757ce"},{"last_affected":"be4df58d7197e386fe2ac74c96bcf6a75dbcae03"},{"last_affected":"9b2e8e73b853d38490de98041627a3f9b075eb96"}],"database_specific":{"cpe":["cpe:2.3:a:apache:pdfbox:1.8.0:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.2:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.4:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.5:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.6:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.7:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.8:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.9:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.10:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:1.8.11:*:*:*:*:*:*:*","cpe:2.3:a:apache:pdfbox:2.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"1.8.0"},{"last_affected":"1.8.1"},{"last_affected":"1.8.2"},{"last_affected":"1.8.3"},{"last_affected":"1.8.4"},{"last_affected":"1.8.5"},{"last_affected":"1.8.6"},{"last_affected":"1.8.7"},{"last_affected":"1.8.8"},{"last_affected":"1.8.9"},{"last_affected":"1.8.10"},{"last_affected":"1.8.11"},{"last_affected":"2.0"}]}}],"versions":["1.8.0","1.8.1","1.8.10","1.8.11","1.8.2","1.8.3","1.8.4","1.8.5","1.8.6","1.8.7","1.8.8","1.8.9","2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-2175.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}