{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28168", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-03-06T07:55:11.018Z", "datePublished": "2024-10-09T12:04:03.835Z", "dateUpdated": "2024-10-09T15:02:59.140Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache XML Graphics FOP", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "2.9", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "c1gar of Shanxi Normal University"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.</p><p>This issue affects Apache XML Graphics FOP: 2.9.</p><p>Users are recommended to upgrade to version 2.10, which fixes the issue.</p>"}], "value": "Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.\n\nThis issue affects Apache XML Graphics FOP: 2.9.\n\nUsers are recommended to upgrade to version 2.10, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-09T12:04:03.835Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://xmlgraphics.apache.org/security.html"}], "source": {"defect": ["FOP-3168"], "discovery": "UNKNOWN"}, "title": "Apache XML Graphics FOP: XML External Entity (XXE) Processing", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "xml_graphics_fop", "cpes": ["cpe:2.3:a:apache:xml_graphics_fop:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.9", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-09T13:28:19.322729Z", "id": "CVE-2024-28168", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T13:31:21.362Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/09/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-09T15:02:59.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/09/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-09T15:02:59.140Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-28168", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-09T13:28:19.322729Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:xml_graphics_fop:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "xml_graphics_fop", "versions": [{"status": "affected", "version": "2.9"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-09T13:31:15.528Z"}}], "cna": {"title": "Apache XML Graphics FOP: XML External Entity (XXE) Processing", "source": {"defect": ["FOP-3168"], "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "c1gar of Shanxi Normal University"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache XML Graphics FOP", "versions": [{"status": "affected", "version": "2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://xmlgraphics.apache.org/security.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.\n\nThis issue affects Apache XML Graphics FOP: 2.9.\n\nUsers are recommended to upgrade to version 2.10, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.</p><p>This issue affects Apache XML Graphics FOP: 2.9.</p><p>Users are recommended to upgrade to version 2.10, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference ('XXE')"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-09T12:04:03.835Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28168", "state": "PUBLISHED", "dateUpdated": "2024-10-09T15:02:59.140Z", "dateReserved": "2024-03-06T07:55:11.018Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-10-09T12:04:03.835Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:formatting_objects_processor:2.9:*:*:*:*:*:*:*", "matchCriteriaId": "C04F72AF-E777-45C3-9298-D2AC6B104356", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.\n\nThis issue affects Apache XML Graphics FOP: 2.9.\n\nUsers are recommended to upgrade to version 2.10, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de restricci\u00f3n incorrecta de referencia de entidad externa XML ('XXE') en Apache XML Graphics FOP. Este problema afecta a Apache XML Graphics FOP: 2.9. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.10, que soluciona el problema."}], "id": "CVE-2024-28168", "lastModified": "2025-07-16T17:19:18.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-09T12:15:02.850", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://xmlgraphics.apache.org/security.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/10/09/1"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "fop: Improper Restriction of XML External Entity Reference ('XXE')", "id": "2317557", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2317557"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-611", "details": ["Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.\nThis issue affects Apache XML Graphics FOP: 2.9.\nUsers are recommended to upgrade to version 2.10, which fixes the issue.", "A flaw was found in Apache XML Graphics FOP. This vulnerability allows remote attackers to cause issues via improper handling of XML External Entity (XXE) references."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-28168", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "org.apache.xmlgraphics/fop", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "org.apache.xmlgraphics/fop", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "org.apache.xmlgraphics/fop", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "org.apache.xmlgraphics/fop", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "org.apache.xmlgraphics/fop", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.apache.xmlgraphics/fop", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "fop", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "fop", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "fop", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "org.apache.xmlgraphics/fop", "product_name": "Red Hat Process Automation 7"}], "public_date": "2024-10-09T12:15:02Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-28168\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-28168\nhttps://xmlgraphics.apache.org/security.html"], "statement": "The XXE vulnerability in Apache XML Graphics FOP is considered important rather than moderate due to its potential to compromise the confidentiality, integrity, and availability of a system. XXE flaws can be exploited to access sensitive internal files, such as configuration or credential files, leading to data exposure without authorization. Additionally, XXE attacks may enable attackers to perform server-side request forgery (SSRF), allowing them to make unauthorized requests to internal systems or services, potentially pivoting within a network.\nRed Hat build of Apache Camel for Springboot ships the affected component but it is not a supported library, hence the will not fix state.", "threat_severity": "Important"}