CVE-2015-0250

Published: Mar 24, 2015Modified: May 6, 2026

6.4

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:P

Exploitability: 10.0 / Impact: 4.9

Source: NVD

Description

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

Affected (5)

Products: Canonical: Ubuntu Linux · Apache: Batik · Redhat: Jboss Enterprise Brms Platform

1 product

1 product

1 product

Jboss Enterprise Brms Platform

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 14.10

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Apache Batik	Up to 1.7

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Jboss Enterprise Brms Platform	Up to 6.1.2

References (22)

http://advisories.mageia.org/MGASA-2015-0138.html

Source: secalert@redhat.com

http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-0041.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-0042.html

Source: secalert@redhat.com

http://seclists.org/fulldisclosure/2015/Mar/142

Source: secalert@redhat.com

Exploit

http://www-01.ibm.com/support/docview.wss?uid=swg21963275

Source: secalert@redhat.com

http://www.debian.org/security/2015/dsa-3205

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2015:203

Source: secalert@redhat.com

http://www.securitytracker.com/id/1032781

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-2548-1

Source: secalert@redhat.com

Patch

http://xmlgraphics.apache.org/security.html

Source: secalert@redhat.com

Vendor Advisory

http://advisories.mageia.org/MGASA-2015-0138.html