Vulnerability Details : CVE-2015-0250
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerability category: XML external entity (XXE) injectionDenial of service
Products affected by CVE-2015-0250
- cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-0250
4.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-0250
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST |
References for CVE-2015-0250
-
http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html
Apache Batik XXE Injection ≈ Packet Storm
-
http://www-01.ibm.com/support/docview.wss?uid=swg21963275
IBM Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.11
-
http://www.ubuntu.com/usn/USN-2548-1
USN-2548-1: Batik vulnerability | Ubuntu security noticesPatch
-
http://seclists.org/fulldisclosure/2015/Mar/142
Full Disclosure: [CVE-2015-0250] Apache Batik Information Disclosure Vulnerability (XXE Injection)Exploit
-
http://rhn.redhat.com/errata/RHSA-2016-0041.html
RHSA-2016:0041 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2015/dsa-3205
Debian -- Security Information -- DSA-3205-1 batik
-
http://advisories.mageia.org/MGASA-2015-0138.html
Mageia Advisory: MGASA-2015-0138 - Updated batik packages fix security vulnerabilities
-
http://www.securitytracker.com/id/1032781
Apache Batik XML External Entity Processing Flaw Lets Remote Users Obtain Potentially Sensitive Information - SecurityTracker
-
http://rhn.redhat.com/errata/RHSA-2016-0042.html
RHSA-2016:0042 - Security Advisory - Red Hat Customer Portal
-
http://www.mandriva.com/security/advisories?name=MDVSA-2015:203
mandriva.com
-
http://xmlgraphics.apache.org/security.html
The Apache™ XML Graphics Project - CommunityVendor Advisory
Jump to