With the release of 2.10, fop-core at 2.9 is now flagged with CVE-2024-28168,
which is considered a SEVERE / HIGH violation by Sonatype Lifecycle
vulnerability scans.
Description from CVE
Improper Restriction of XML External Entity Reference ('XXE') vulnerability in
Apache XML Graphics FOP. This issue affects Apache XML Graphics FOP: 2.9. Users
are recommended to upgrade to version 2.10, which fixes the issue.
Explanation
Apache XML Graphics FOP is vulnerable to XML eXternal Entity (XXE) attacks due
to the Improper Restriction of XML External Entity Reference. The transformTo()
method in the InputHandler class processes malicious external entities by
default due to an unsafe XML parser configuration. A remote attacker who can
supply an XML file to be parsed by this package can exploit this vulnerability
to exfiltrate sensitive information, execute Server-Side Request Forgery
(SSRF), or perform other XXE-related attacks.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to
this specific issue.
Note: If this component is included as a bundled/transitive dependency of
another component, there may not be an upgrade path. In this instance, we
recommend contacting the maintainers who included the vulnerable package.
Alternatively, we recommend investigating alternative components or a potential
mitigating control.
Version Affected
[2.4,2.9]
Root Cause
fop-core-2.9.jarorg/apache/fop/cli/InputHandler.class( , 2.10)
Advisories
Project
https://github.com/advisories/GHSA-jqfv-jrvq-95jm
CVSS Details
CVE CVSS 3
7.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
-Josh
