Description

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

Remediation

References

http://seclists.org/fulldisclosure/2015/Mar/142

http://xmlgraphics.apache.org/security.html

http://www.ubuntu.com/usn/USN-2548-1

http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html

http://www.mandriva.com/security/advisories?name=MDVSA-2015:203

http://advisories.mageia.org/MGASA-2015-0138.html

http://rhn.redhat.com/errata/RHSA-2016-0041.html

http://rhn.redhat.com/errata/RHSA-2016-0042.html

http://www-01.ibm.com/support/docview.wss?uid=swg21963275

http://www.securitytracker.com/id/1032781

http://www.debian.org/security/2015/dsa-3205

Related Vulnerabilities

CVE-2023-42810 Vulnerability in npm package systeminformation

CVE-2015-9239 Vulnerability in npm package ansi2html

CVE-2020-28052 Vulnerability in maven package org.bouncycastle:bcprov-jdk15to18

CVE-2021-3690 Vulnerability in maven package io.undertow:undertow-core

CVE-2023-31581 Vulnerability in maven package com.usthe.sureness:sureness-core

Severity

Critical

Tags

Exploit Vendor Advisory Patch NVD-CWE-Other