Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream


the following vulnerability was published for batik.

| In Apache Batik before 1.9, files lying on the filesystem of the
| server which uses batik can be revealed to arbitrary users who send
| maliciously formed SVG files. The file types that can be shown depend
| on the user context in which the exploitable application is running.
| If the user is root a full compromise of the server - including
| confidential or sensitive files - would be possible. XXE can also be
| used to attack the availability of the server via denial of service as
| the references within a xml document can trivially trigger an
| amplification attack.

The issue was annonced in [1], but at the time of writing this
bugreport I have no upstream reference apart [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:



This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to