{"api_version":"1","generated_at":"2026-04-22T22:49:00+00:00","cve":"CVE-2015-0250","urls":{"html":"https://cve.report/CVE-2015-0250","api":"https://cve.report/api/cve/CVE-2015-0250.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-0250","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-0250"},"summary":{"title":"CVE-2015-0250","description":"XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2015-03-24 17:59:00","updated_at":"2017-11-04 01:29:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"http://rhn.redhat.com/errata/RHSA-2016-0041.html","name":"RHSA-2016:0041","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://xmlgraphics.apache.org/security.html","name":"http://xmlgraphics.apache.org/security.html","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"The Apache™ XML Graphics Project - Community","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html","name":"http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html","refsource":"MISC","tags":[],"title":"Apache Batik XXE Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.debian.org/security/2015/dsa-3205","name":"DSA-3205","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-3205-1 batik","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ubuntu.com/usn/USN-2548-1","name":"USN-2548-1","refsource":"UBUNTU","tags":["Patch"],"title":"USN-2548-1: Batik vulnerability | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://advisories.mageia.org/MGASA-2015-0138.html","name":"http://advisories.mageia.org/MGASA-2015-0138.html","refsource":"CONFIRM","tags":[],"title":"Mageia Advisory: MGASA-2015-0138 - Updated batik packages fix security vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2015/Mar/142","name":"20150322 [CVE-2015-0250] Apache Batik Information Disclosure Vulnerability (XXE Injection)","refsource":"FULLDISC","tags":["Exploit"],"title":"Full Disclosure: [CVE-2015-0250] Apache Batik Information Disclosure Vulnerability (XXE Injection)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1032781","name":"1032781","refsource":"SECTRACK","tags":[],"title":"Apache Batik XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www-01.ibm.com/support/docview.wss?uid=swg21963275","name":"http://www-01.ibm.com/support/docview.wss?uid=swg21963275","refsource":"CONFIRM","tags":[],"title":"IBM Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.11 - United States","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:203","name":"MDVSA-2015:203","refsource":"MANDRIVA","tags":[],"title":"Support / Security / Advisories /  / MDVSA-2015:203 | Mandriva","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://rhn.redhat.com/errata/RHSA-2016-0042.html","name":"RHSA-2016:0042","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-0250","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-0250","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"1.7","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"batik","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"12.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"14.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"250","vulnerable":"1","versionEndIncluding":"6.1.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_brms_platform","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2015-0250","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"USN-2548-1","refsource":"UBUNTU","url":"http://www.ubuntu.com/usn/USN-2548-1"},{"name":"http://www-01.ibm.com/support/docview.wss?uid=swg21963275","refsource":"CONFIRM","url":"http://www-01.ibm.com/support/docview.wss?uid=swg21963275"},{"name":"MDVSA-2015:203","refsource":"MANDRIVA","url":"http://www.mandriva.com/security/advisories?name=MDVSA-2015:203"},{"name":"DSA-3205","refsource":"DEBIAN","url":"http://www.debian.org/security/2015/dsa-3205"},{"name":"1032781","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1032781"},{"name":"http://advisories.mageia.org/MGASA-2015-0138.html","refsource":"CONFIRM","url":"http://advisories.mageia.org/MGASA-2015-0138.html"},{"name":"20150322 [CVE-2015-0250] Apache Batik Information Disclosure Vulnerability (XXE Injection)","refsource":"FULLDISC","url":"http://seclists.org/fulldisclosure/2015/Mar/142"},{"name":"RHSA-2016:0042","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2016-0042.html"},{"name":"http://xmlgraphics.apache.org/security.html","refsource":"CONFIRM","url":"http://xmlgraphics.apache.org/security.html"},{"name":"RHSA-2016:0041","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2016-0041.html"},{"name":"http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html"}]}},"nvd":{"publishedDate":"2015-03-24 17:59:00","lastModifiedDate":"2017-11-04 01:29:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*","versionEndIncluding":"1.7","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*","versionEndIncluding":"6.1.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"250","Ordinal":"76274","Title":"CVE-2015-0250","CVE":"CVE-2015-0250","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"250","Ordinal":"1","NoteData":"XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.","Type":"Description","Title":null},{"CveYear":"2015","CveId":"250","Ordinal":"2","NoteData":"2015-03-24","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"250","Ordinal":"3","NoteData":"2017-11-03","Type":"Other","Title":"Modified"}]}}}