CVE-2017-5662

CWE-611XML External Entity (XXE)10 documents8 sources
Severity
7.3HIGH
EPSS
0.3%
top 48.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache BatikApache Software Foundation Apache Batik
Timeline
PublishedApr 18
Latest updateMay 13

Description

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:HExploitability: 2.1 | Impact: 5.2

Affected Packages4 packages

NVDapache/batik1.8
Debianbatik< 1.9-1+3

Patches

Patch: xmlgraphics.apache.orgPatch: xmlgraphics.apache.org

🔴Vulnerability Details

4
GHSA
Improper Restriction of XML External Entity Reference in Apache Batik2022-05-13
OSV
Improper Restriction of XML External Entity Reference in Apache Batik2022-05-13
CVEList
CVE-2017-5662: In Apache Batik before 12017-04-18
OSV
CVE-2017-5662: In Apache Batik before 12017-04-18

📋Vendor Advisories

3
Ubuntu
Apache Batik vulnerability2017-05-09
Red Hat
batik: XML external entity processing vulnerability2017-04-10
Debian
CVE-2017-5662: batik - In Apache Batik before 1.9, files lying on the filesystem of the server which us...2017

💬Community

2
Bugzilla
CVE-2017-5662 batik: XML external entity processing vulnerability [fedora-all]2017-04-19
Bugzilla
CVE-2017-5662 batik: XML external entity processing vulnerability2017-04-19
CVE-2017-5662 (HIGH CVSS 7.3) | In Apache Batik before 1.9 | cvebase.io