Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xd2d4LTU5anctcWZnOc32Kw
Improper Restriction of XML External Entity Reference in Apache Batik
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Permalink: https://github.com/advisories/GHSA-qwgx-59jw-qfg9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xd2d4LTU5anctcWZnOc32Kw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 7.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Identifiers: GHSA-qwgx-59jw-qfg9, CVE-2017-5662
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-5662
- https://access.redhat.com/errata/RHSA-2017:2546
- https://access.redhat.com/errata/RHSA-2017:2547
- https://access.redhat.com/errata/RHSA-2018:0319
- https://www.debian.org/security/2018/dsa-4215
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://xmlgraphics.apache.org/security.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/97948
- http://www.securitytracker.com/id/1038334
- https://github.com/advisories/GHSA-qwgx-59jw-qfg9
Affected Packages
maven:org.apache.xmlgraphics:batik
Dependent packages: 0Dependent repositories: 6
Downloads:
Affected Version Ranges: < 1.9
Fixed in: 1.9
All affected versions:
All unaffected versions: 1.9.1