#VU13180 XXE attack in Apache Batik - CVE-2017-5662
Published: June 5, 2018
Vulnerability identifier: #VU13180
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-5662
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Apache Batik
Apache Batik
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote unauthenticated attacker to conduct XXE-attack on the target system.
The weakness exists due to improper restriction of XML external entity references. A remote attacker can supply specially crafted xml document to gain access to arbitrary files or conduct amplification attack to cause the service to crash.
The weakness exists due to improper restriction of XML external entity references. A remote attacker can supply specially crafted xml document to gain access to arbitrary files or conduct amplification attack to cause the service to crash.
Remediation
Update to version 1.9.