https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
Priority: P2
Bug ID: 53603
Assignee: [email protected]
Summary: "XML External Entities" vulnerability
Severity: major
Classification: Unclassified
OS: All
Reporter: [email protected]
Hardware: All
Status: NEW
Version: 1.8
Component: SVG DOM
Product: Batik
Created attachment 29114
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29114&action=edit
Malicious SVG file
During visualization with Squiggle or rasterization via the CLI tool, XML
external entities defined in the DTD are dereferenced and the content of the
target file is included in the output.
The impact of this vulnerability range form denial of service to file
disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
For some additional information about XXE attacks, please refer to
http://cwe.mitre.org/data/definitions/827.html
How to reproduce:
$> rasterizer xxe.svg -d xxe.png
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
