CVE-2017-5662: XEE
First published: Tue Apr 18 2017(Updated: )
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Batik | <=1.8 | |
| debian/batik | 1.10-2+deb10u1 1.10-2+deb10u3 1.12-4+deb11u2 1.12-4+deb11u1 1.16+dfsg-1+deb12u1 1.17+dfsg-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2017-5662
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662
- http://www.openwall.com/lists/oss-security/2017/04/18/1
- https://xmlgraphics.apache.org/security.html
- https://issues.apache.org/jira/browse/BATIK-1091?jql=project%20%3D%20BATIK%20AND%20fixVersion%20%3D%201.9%20ORDER%20BY%20updated%20DESC%2C%20priority%20DESC%2C%20created%20ASC
- https://issues.apache.org/jira/browse/BATIK-1018
- https://issues.apache.org/jira/browse/BATIK-1139
- https://people.debian.org/~anarcat/debian/wheezy-lts/
- https://anonscm.debian.org/cgit/pkg-java/batik.git/commit/?id=3985be1
- https://www.apache.org/dist/xmlgraphics/batik/KEYS
- http://svn.apache.org/viewvc?view=revision&revision=1687506
- https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860566
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/97948
- http://www.securitytracker.com/id/1038334
- https://access.redhat.com/errata/RHSA-2017:2546
- https://access.redhat.com/errata/RHSA-2017:2547
- https://access.redhat.com/errata/RHSA-2018:0319
- https://www.debian.org/security/2018/dsa-4215
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://seclists.org/oss-sec/2017/q2/85
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1443593
- http://svn.apache.org/viewvc?view=revision&revision=1742892
- http://svn.apache.org/viewvc?view=revision&revision=1743326
- https://bugzilla.redhat.com/show_bug.cgi?id=1443592
- https://www.openwall.com/lists/oss-security/2017/04/18/1
- http://svn.apache.org/r1743326
Frequently Asked Questions
What is the severity of CVE-2017-5662?
CVE-2017-5662 has a moderate severity rating due to its ability to expose sensitive files on the server to unauthorized users.
How do I fix CVE-2017-5662?
To remediate CVE-2017-5662, upgrade Apache Batik to version 1.9 or later to mitigate the vulnerability.
What types of files can be leaked due to CVE-2017-5662?
The types of files that can be revealed through CVE-2017-5662 depend on the permissions of the user context running the vulnerable application.
Which versions of Apache Batik are affected by CVE-2017-5662?
All versions of Apache Batik before 1.9 are vulnerable to CVE-2017-5662.
Is there a known exploit for CVE-2017-5662?
Yes, CVE-2017-5662 can be exploited by sending specially crafted SVG files to the affected application.
- collector/debian-bugs
- alias/CVE-2017-5662
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/event
- agent/description
- agent/source
- package-manager/debian
- vendor/apache
- canonical/apache batik
- version/apache batik/1.8
- package-manager/redhat