7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
7.9 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:N/A:C
Apache Batik is vulnerable to information disclosure through an external XML entity (XXE) vulnerability. The vulnerability is possible because it does not properly validate the file when handling a maliciously formed SVG
file. Using this flaw, attackers can gain access to confidential information and private files. The XXE can also be used to trigger an XML entity expansion to consume all the system’s memory, crashing it and causing a denial of service (DoS) condition.
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.securityfocus.com/bid/97948
www.securitytracker.com/id/1038334
access.redhat.com/errata/RHSA-2017:2546
access.redhat.com/errata/RHSA-2017:2547
access.redhat.com/errata/RHSA-2018:0319
github.com/apache/batik/compare/e2200fd50e424f6e132ec86ba65bb0b0805ca4d3...6ab669f073c23a443d78a7a08aea2fd4de10da8c
issues.apache.org/jira/browse/BATIK-1113
issues.apache.org/jira/browse/BATIK-1139
www.debian.org/security/2018/dsa-4215
www.oracle.com/security-alerts/cpuoct2020.html
www.sourceclear.com/registry/security/xml-external-entity-xxe-injection/java/sid-3891
xmlgraphics.apache.org/security.html
7.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
7.9 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:N/A:C