CVE-2015-0250
First published: Tue Mar 24 2015(Updated: )
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =14.10 | |
| Apache Batik | <=1.7 | |
| Red Hat JBoss Enterprise BRMS Platform | <=6.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://advisories.mageia.org/MGASA-2015-0138.html
- http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html
- http://rhn.redhat.com/errata/RHSA-2016-0041.html
- http://rhn.redhat.com/errata/RHSA-2016-0042.html
- http://seclists.org/fulldisclosure/2015/Mar/142
- http://www-01.ibm.com/support/docview.wss?uid=swg21963275
- http://www.debian.org/security/2015/dsa-3205
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:203
- http://www.securitytracker.com/id/1032781
- http://www.ubuntu.com/usn/USN-2548-1
- http://xmlgraphics.apache.org/security.html
Frequently Asked Questions
What is the severity of CVE-2015-0250?
CVE-2015-0250 is considered a high severity vulnerability due to its potential to allow remote attackers to read arbitrary files.
How do I fix CVE-2015-0250?
To mitigate CVE-2015-0250, upgrade Apache Batik to version 1.8 or higher.
What causes the CVE-2015-0250 vulnerability?
The CVE-2015-0250 vulnerability is caused by improper parsing of SVG files, leading to XML external entity (XXE) injection.
Which software versions are affected by CVE-2015-0250?
CVE-2015-0250 affects Apache Batik versions prior to 1.8 and specific versions of Ubuntu and Red Hat JBoss Enterprise BRMS.
What are the potential impacts of CVE-2015-0250?
The impacts of CVE-2015-0250 include unauthorized file access and potential denial of service due to crafted SVG files.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/references
- agent/severity
- agent/remedy
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/14.10
- vendor/apache
- canonical/apache batik
- version/apache batik/1.7
- vendor/redhat
- canonical/red hat jboss enterprise brms platform
- version/red hat jboss enterprise brms platform/6.1.2