8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28109

GHSA ID

GHSA-qxqf-2mfx-x8jw

EPSS Score

0.81239%

CWE

CWE-91

Published

5/20/2024

Updated

1/17/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-28109

CVE-2024-28109: veraPDF has potential XSLT injection vulnerability when using policy files

Impact

Executing policy checks using custom schematron files invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability.

Patches

This has been patched and users should upgrade to veraPDF v1.24.2

Workarounds

This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust.

References

Original issue: https://github.com/veraPDF/veraPDF-library/issues/1415

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-28109

GHSA ID

GHSA-qxqf-2mfx-x8jw

EPSS Score

0.81239%

CWE

CWE-91

Published

5/20/2024

Updated

1/17/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.verapdf:core	maven	< 1.24.2	1.24.2
org.verapdf:core-jakarta	maven	< 1.24.2	1.24.2
org.verapdf:core-arlington	maven	< 1.25.127	1.25.127
org.verapdf:verapdf-library-arlington	maven	< 1.25.127	1.25.127
org.verapdf:verapdf-library	maven	< 1.24.2	1.24.2
org.verapdf:verapdf-library-jakarta	maven	< 1.24.2	1.24.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure XSLT processing configurations in multiple classes. Key indicators:

All affected files used TransformerFactory without FEATURE_SECURE_PROCESSING and ACCESS_EXTERNAL_STYLESHEET restrictions
The patches explicitly add these security features in static initializers
The commit message confirms 'Set secure parameter for xslt transformation'
CWE-91 directly maps to XML/XSLT injection scenarios
The vulnerability manifests when processing user-supplied policy files through these transformation functions High confidence because:

The pre-patch code clearly lacks security features shown in the diffs
The CVE description explicitly links XSLT processing to RCE
Multiple classes with XSLT handling were simultaneously patched

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *x**utin* poli*y ****ks usin* *ustom s***m*tron *il*s invok*s *n XSL tr*ns*orm*tion t**t m*y t**or*ti**lly l*** to * r*mot* *o** *x**ution (R**) vuln*r**ility. ### P*t***s T*is **s ***n p*t**** *n* us*rs s*oul* up*r*** to v*r*P** v*.**.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* XSLT pro**ssin* *on*i*ur*tions in multipl* *l*ss*s. K*y in*i**tors: *. *ll *****t** *il*s us** Tr*ns*orm*r***tory wit*out ***TUR*_S**UR*_PRO**SSIN* *n* ****SS_*XT*RN*L_STYL*S***T r*stri*tions *. T** p*t***s *xpli

8.1

Basic Information

Concerned about an active attack path?

CVE-2024-28109: veraPDF has potential XSLT injection vulnerability when using policy files

Impact

Patches

Workarounds

References

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI