That is here: issues.apache.org/jira/browse/PDFBOX-4505
<https://issues.apache.org/jira/browse/PDFBOX-4505>
that code (XML parse) isn't in 1.8. Nevertheless, you should migrate to
2.0.* to enjoy all the improvements.
Tilman
Am 20.01.2021 um 11:07 schrieb Avinash Modi:
I was scanning Apache PDFBox v1.8.16 jar in BlackDuck and it got flagged
with the following report:
*CVE-2019-0228*
Apache PDFBox 2.0.14 does not properly initialize the XML parser, which
allows context-dependent attackers to conduct XML External Entity (XXE)
attacks via a crafted XFDF.
From the report: It talks about v2.0.14 but I am on v1.8.16 which is
wondering.
My concern is that: I am using Apache PdfBox 1.8.16 which was released on
3rd July,2020 after the issue was reported( on 17 Apr 2019).So, Did it get
resolved in this version?
Thanks,
Avinash.
