Directory Traversal Vulnerability in Apache Batik by Apache Foundation
CVE-2017-5662

7.3HIGH

Key Information:

Vendor
Apache
Status
Apache Batik
Vendor
CVE Published:
18 April 2017

Summary

Apache Batik versions before 1.9 contain a vulnerability that allows unauthorized access to files on the server's filesystem. Maliciously crafted SVG files can exploit this weakness, potentially exposing sensitive files based on the user permissions of the application context. Furthermore, if the application runs with elevated privileges, such as root, it could lead to a full server compromise. Additionally, this vulnerability may be leveraged for denial of service attacks by triggering significant amplification through references in XML documents.

Affected Version(s)

Apache Batik before 1.9

References

https://access.redhat.com/errata/RHSA-2017:2547
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0319
vendor-advisoryx_refsource_REDHAT
http://www.securitytracker.com/id/1038334
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.