CVE-2024-8602

CVE-2024-8602 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-611.

Key facts

Description

When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Further information on this can be found on the website of the Open Worldwide Application Security Project (OWASP). An attacker could theoretically leverage this by delivering a manipulated PDF file to the target, and depending on the environment, various actions can be executed. These actions include: * Reading files from the operating system * Crashing the thread handling the parsing or causing it to enter an infinite loop * Executing HTTP requests * Loading additional DTDs or XML files * Under certain conditions, executing OS commands

Frequently asked questions

What is CVE-2024-8602?
When the XML is read from the codes in the PDF and parsed using a DocumentBuilder, the default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack. Further information on this can be found on the website of the Open Worldwide Application Security Project (OWASP). An attacker could theoretically leverage this by delivering a manipulated PDF file to the target, and depending on the environment, various actions can be executed. These actions include: * Reading files from the operating system * Crashing the thread handling the parsing or causing it to enter an infinite loop * Executing HTTP requests * Loading additional DTDs or XML files * Under certain conditions, executing OS commands
How severe is CVE-2024-8602?
CVE-2024-8602 has a CVSS 4.0 base score of 6.3, rated medium severity.
Is CVE-2024-8602 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2024-8602?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-8602 have an EU (EUVD) identifier?
Yes. CVE-2024-8602 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-49633.
When was CVE-2024-8602 published?
CVE-2024-8602 was published on 2024-10-14 and last updated on 2026-06-17.

References

Other CWE-611 (Improper Restriction of XML External Entity Reference (XXE)) vulnerabilities

Browse all CWE-611 (Improper Restriction of XML External Entity Reference (XXE)) vulnerabilities →