CVE-2024-52800
Published: 29 November 2024
Summary
CVE-2024-52800 is a low-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. Its CVSS base score is 2.3 (Low).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
veraPDF, an open source PDF/A validation library, contains a theoretical remote code execution issue when policy checks are executed via the command-line interface using custom schematron files. The CLI path invokes an XSL transformation that could be abused, though the flaw does not affect standard validation or the library’s common policy-check usage that relies on Schematron syntax rather than direct XSLT. The vulnerability is tracked as CWE-611 and carries a CVSS 4.0 score of 2.3.
An attacker would need to supply a malicious custom policy file containing XSLT to a user who then processes it on the CLI; successful exploitation could permit arbitrary code execution on the victim system. The attack requires user interaction and is limited to those who deliberately load untrusted custom XSLT-based profiles, which the project states is uncommon.
The GitHub security advisory GHSA-4cx5-89vm-833x confirms the issue is still unpatched. It recommends that users load custom policy files only from trusted sources and avoid untrusted XSLT content until a fix is released. The associated EPSS values (current 0.1249, peak 0.1682) have not shown a pronounced climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3420
Vulnerability details
veraPDF is an open source PDF/A validation library. Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and…
more
policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. This issue has not yet been patched. Users are advised to be cautious of XSLT code until a patch is available.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.