Описание
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Toolset 2.1 | batik | Will not fix | ||
| Red Hat Enterprise Linux 6 | batik | Will not fix | ||
| Red Hat Enterprise Linux 7 | batik | Will not fix | ||
| Red Hat Enterprise Virtualization 3 | jasperreports-server-pro | Will not fix | ||
| Red Hat JBoss BRMS 5 | batik | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | batik | Affected | ||
| Red Hat JBoss SOA Platform 5 | batik | Will not fix | ||
| Red Hat OpenShift Enterprise 2 | jboss-eap6-modules | Not affected | ||
| Red Hat OpenShift Enterprise 2 | openshift-origin-cartridge-fuse | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS2
Связанные уязвимости
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) ...
EPSS
5.8 Medium
CVSS2