Insufficient Signature Validation

Affecting com.itextpdf:sign artifact, versions [,7.1.5)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

com.itextpdf:sign is a itext7 sign package, used as part of the itext7 PDF parsing library.

Affected versions of this package are vulnerable to Insufficient Signature Validation. It is possible to bypass the signature checker feature within itext7 due to insufficient validation of the whole PDF document.

Remediation

Upgrade com.itextpdf:sign to version 7.1.5 or higher.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R
Credit
Unknown
CWE
CWE-347
Snyk ID
SNYK-JAVA-COMITEXTPDF-541284
Disclosed
14 Dec, 2018
Published
09 Jan, 2020