CVE-2017-5662
Summary
| CVE | CVE-2017-5662 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-04-18 14:59:00 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. |
Risk And Classification
Primary CVSS: v3.0 7.3 HIGH from [email protected]
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Problem Types: CWE-611 | XXE
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 7.3 | HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H |
| 2.0 | [email protected] | Primary | 7.9 | AV:N/AC:M/Au:S/C:C/I:N/A:C |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
HighCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
SingleConfidentiality
CompleteIntegrity
NoneAvailability
CompleteAV:N/AC:M/Au:S/C:C/I:N/A:C
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Batik | affected before 1.9 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Apache Batik SVG File XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| Debian -- Security Information -- DSA-4215-1 batik | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Oracle Critical Patch Update Advisory - October 2020 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Oracle Critical Patch Update - October 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| Oracle Critical Patch Update - April 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Apache Batik CVE-2017-5662 XML External Entity Information Disclosure Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | |
| CPU July 2018 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| The Apache(tm) XML Graphics Project - Community | af854a3a-2127-422b-91ae-364da2661108 | xmlgraphics.apache.org | Patch, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 755916 SUSE Enterprise Linux Security Update for xmlgraphics-batik (SUSE-SU-2024:0777-1)