Apache FOP is vulnerable to information disclosure. This is because of an embedded batik jar in this library. Apache batik is vulnerable to information disclosure through external XML entity (XXE). A malicious user can send a SVG file to the application to cause an XXE to reveal information in sensitive files. The XXE can also be used to trigger a XML entity expansion to consume all the systemโs memory, crashing it and causing a denial of service (DoS) condition.
CPE | Name | Operator | Version |
---|---|---|---|
apache fop all-in-one | le | 2.1 | |
fop:trusty | eq | 1:1.1.dfsg-2ubuntu1 |