[Secure-testing-team] Bug#860566: batik: CVE-2017-5662: information disclosure vulnerability
Salvatore Bonaccorso
carnil at debian.org
Tue Apr 18 18:00:49 UTC 2017
Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for batik.
CVE-2017-5662[0]:
| In Apache Batik before 1.9, files lying on the filesystem of the
| server which uses batik can be revealed to arbitrary users who send
| maliciously formed SVG files. The file types that can be shown depend
| on the user context in which the exploitable application is running.
| If the user is root a full compromise of the server - including
| confidential or sensitive files - would be possible. XXE can also be
| used to attack the availability of the server via denial of service as
| the references within a xml document can trivially trigger an
| amplification attack.
The issue was annonced in [1], but at the time of writing this
bugreport I have no upstream reference apart [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662
[1] http://www.openwall.com/lists/oss-security/2017/04/18/1
[2] https://xmlgraphics.apache.org/security.html
Regards,
Salvatore
More information about the Secure-testing-team
mailing list