XXE attack in Apache Batik - CVE-2017-5662
Published: June 5, 2018
Vulnerability identifier: #VU13180
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-5662
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Batik
Apache Batik
Detailed vulnerability description
The vulnerability allows a remote unauthenticated attacker to conduct XXE-attack on the target system.
The weakness exists due to improper restriction of XML external entity references. A remote attacker can supply specially crafted xml document to gain access to arbitrary files or conduct amplification attack to cause the service to crash.
The weakness exists due to improper restriction of XML external entity references. A remote attacker can supply specially crafted xml document to gain access to arbitrary files or conduct amplification attack to cause the service to crash.
How to mitigate CVE-2017-5662
Update to version 1.9.