#VU6634 Improper Restriction of XML External Entity Reference in Apache FOP
Vulnerability identifier: #VU6634
Vulnerability risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-611
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache FOP
Client/Desktop applications /
Multimedia software
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to perform an XXE attack.
The vulnerability exists due to insufficient validation of user-supplied data when processing SVG files. A remote attacker can create a specially crafted SVG file, trick the victim into opening it with affected application and gain access to potentially sensitive information.
Successful exploitation of the vulnerability may lead to system compromise.
Mitigation
Update to version 2.2.
Vulnerable software versions
Apache FOP: 1.0 - 2.1
External links
http://xmlgraphics.apache.org/security.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
