Source: fop
Version: 1:1.0.dfsg-1
Severity: important
Tags: upstream security


the following vulnerability was published for fop.

| In Apache FOP before 2.2, files lying on the filesystem of the server
| which uses FOP can be revealed to arbitrary users who send maliciously
| formed SVG files. The file types that can be shown depend on the user
| context in which the exploitable application is running. If the user
| is root a full compromise of the server - including confidential or
| sensitive files - would be possible. XXE can also be used to attack
| the availability of the server via denial of service as the references
| within a xml document can trivially trigger an amplification attack.

I was not able to verify that myself, but it is claimed to affect all
fop version from 1.0 up to 2.1.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:



This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to