Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:3925
HistoryApr 19, 2017 - 1:00 a.m.

Information Disclosure Through An External XML Entity (XXE) Vulnerability

2017-04-1901:00:17
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
8

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

7.9 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:N/A:C

Apache Batik is vulnerable to information disclosure through an external XML entity (XXE) vulnerability. The vulnerability is possible because it does not properly validate the file when handling a maliciously formed SVG file. Using this flaw, attackers can gain access to confidential information and private files. The XXE can also be used to trigger an XML entity expansion to consume all the system’s memory, crashing it and causing a denial of service (DoS) condition.

CPENameOperatorVersion
batik domle1.6-1
batik-domle1.8

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H

7.9 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:N/A:C