java-batik: xml external entity injection

ID ASA-201504-5
Type archlinux
Reporter Arch Linux
Modified 2015-04-04T00:00:00


Batik offers several classes for SVG to PNG/JPG conversion, which suffer from a XML External Entity Injection due to the evaluation of external entities within the given SVG file. If an application offers the possibility to upload a SVG file an attacker can put in a malicious formed file and retrieve sensitive information such as the content of files of the respective server. The type of file that can be retrieved depends on the user context in which the application is running.