Apache XML Graphics FOP 2.1 Information Disclosure

Published
Credit
Risk
2017.04.19
Pierre Ernst
Medium
CWE
CVE
Local
Remote
N/A
CVE-2017-5661
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.9/10
9.2/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
Complete
None
Complete

CVE-2017-5661:
Apache XML Graphics FOP information disclosure vulnerability

Severity:
Medium

Vendor:
The Apache Software Foundation

Versions Affected:
FOP 1.0 - 2.1

Description:
Files lying on the filesystem of the server which uses batik can
be revealed to arbitrary users who send maliciously formed SVG
files. The file types that can be shown depend on the user context
in which the exploitable application is running. If the user is root
a full compromise of the server--including confidential or sensitive
files--would be possible.

XXE can also be used to attack the availability of the server
via denial of service as the references within a xml document
can trivially trigger an amplification attack.

Mitigation:
Users should upgrade to FOP 2.2+

Credit:
This issue was independently reported by Pierre Ernst at Salesforce.

References:
http://xmlgraphics.apache.org/security.html

The Apache XML Graphics team.


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com