CVE-2024-8602

Name of the Vulnerable Software and Affected Versions: taxstatement.jar version 2.2.2 taxstatement.jar version 2.2.4

Description: The default settings of the DocumentBuilder allow for an XXE (XML External Entity) attack when reading XML from PDF codes. This could enable an attacker to deliver a manipulated PDF file to the target, potentially leading to various actions such as reading files from the operating system, crashing the thread handling the parsing, executing HTTP requests, loading additional DTDs or XML files, and under certain conditions, executing OS commands. The vulnerability is related to the use of the DocumentBuilder in parsing XML from PDF files.

Recommendations: For taxstatement.jar version 2.2.2, upgrade the affected component immediately to mitigate the risk. For taxstatement.jar version 2.2.4, upgrade the affected component immediately to mitigate the risk. As a temporary workaround, consider disabling the use of the DocumentBuilder for parsing XML from PDF files until a patch is available. Restrict access to the vulnerable component to minimize the risk of exploitation. Avoid using the DocumentBuilder with untrusted or manipulated PDF files until the issue is resolved.