Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apache XML Graphics FOP 2.1 Information Disclosure Vulnerability

🗓️ 19 Apr 2017 00:00:00Reported by Pierre ErnstType 
zdt
 zdt🔗 0day.today👁 65 Views

Apache XML Graphics FOP 2.1 Information Disclosure Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: Security vulnerability in Apache FOP affects IBM® Rational® Quality Manager
28 Apr 202118:35
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability found in fop-1.1.jar which is shipped with IBM® Intelligent Operations Center(CVE-2017-5661)
5 Sep 202312:35
ibm
IBM Security Bulletins		Security Bulletin: Vulnerability in Apache FOP affects IBM Cúram Social Program Management (CVE-2017-5661)
17 Jun 201813:09
ibm
ArchLinux		[ASA-201705-19] fop: xml external entity injection
21 May 201700:00
archlinux
CNVD		Apache FOP XML External Entity Injection Vulnerability
19 Apr 201700:00
cnvd
CVE		CVE-2017-5661
18 Apr 201714:00
cve
Cvelist		CVE-2017-5661
18 Apr 201714:00
cvelist
Debian		[SECURITY] [DLA 927-1] fop security update
29 Apr 201716:35
debian
Debian		[SECURITY] [DSA 3864-1] fop security update
27 May 201722:01
debian
Debian CVE		CVE-2017-5661
18 Apr 201714:00
debiancve
Rows per page
CVE-2017-5661:
Apache XML Graphics FOP information disclosure vulnerability

Severity:
Medium

Vendor:
The Apache Software Foundation

Versions Affected:
FOP 1.0 - 2.1

Description:
Files lying on the filesystem of the server which uses batik can
be revealed to arbitrary users who send maliciously formed SVG
files. The file types that can be shown depend on the user context
in which the exploitable application is running. If the user is root
a full compromise of the server--including confidential or sensitive
files--would be possible.

XXE can also be used to attack the availability of the server
via denial of service as the references within a xml document
can trivially trigger an amplification attack.

Mitigation:
Users should upgrade to FOP 2.2+

Credit:
This issue was independently reported by Pierre Ernst at Salesforce.

References:
http://xmlgraphics.apache.org/security.html

The Apache XML Graphics team.

#  0day.today [2018-03-13]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Apr 2017 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.02449
apache xml graphicsfop 2.1information disclosureseverity mediumapache software foundationversion affectedcve-2017-5661files lyingfile systembatikarbitrary usersmaliciously formed svgxxedenial of serviceamplification attackmitigationfop 2.2+pierre ernstsalesforcesecurity advisory.
65