CVE-2015-0250 — XML External Entity (XXE) Injection in Apache Batik

CWE-611 — XML External Entity (XXE) Injection CWE-20 — Improper Input Validation9 documents8 sources

Severity

6.4MEDIUMNVD

EPSS

1.5%

top 19.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Batik Redhat Jboss Enterprise Brms Platform Canonical Ubuntu Linux

Timeline

PublishedMar 24

Latest updateMay 17

Description

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages3 packages

▶Debianapache/batik< 1.7+dfsg-5+3

▶NVDapache/batik1.7

▶NVDredhat/jboss_enterprise_brms_platform6.1.2

Also affects: Ubuntu Linux 12.04, 14.04, 14.10

Patches

Patch: www.ubuntu.com ↗Patch: www.ubuntu.com ↗

🔴Vulnerability Details

OSV

Improper Input Validation in Apache Batik↗2022-05-17

▶

GHSA

Improper Input Validation in Apache Batik↗2022-05-17

▶

OSV

CVE-2015-0250: XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1↗2015-03-24

▶

CVEList

CVE-2015-0250: XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1↗2015-03-24

▶

📋Vendor Advisories

Ubuntu

Batik vulnerability↗2015-03-25

▶

Debian

CVE-2015-0250: batik - XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conver...↗2015

▶

Red Hat

batik: XML External Entity (XXE) injection in SVG parsing↗2012-07-25

▶

💬Community

Bugzilla

CVE-2015-0250 batik: XML External Entity (XXE) injection in SVG parsing↗2015-03-19

▶