CVE-2017-5662 - In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be reve

CVE-2017-5662

Summary

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

References

Vulnerable Configurations

cpe:2.3:a:apache:batik:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta2:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta2:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta3:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta3:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta4:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta4:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta4b:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta4b:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta5:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5:beta5:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5.1:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.5.1:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.6.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.7:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.7:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:batik:1.8:*:*:*:*:*:*:*

CVSS

Base:	7.9 (as of 20-10-2020 - 22:15)
Impact:
Exploitability:

CWE

CWE-611

CAPEC

XML External Entities Blowup
This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
COMPLETE	NONE	COMPLETE

cvss-vector via4

AV:N/AC:M/Au:S/C:C/I:N/A:C

redhat via4

advisories

rhsa
id RHSA-2017:2546
rhsa
id RHSA-2017:2547
rhsa
id RHSA-2018:0319

refmap via4

bid	97948
confirm	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html https://xmlgraphics.apache.org/security.html
debian	DSA-4215
misc	https://www.oracle.com/security-alerts/cpuoct2020.html
sectrack	1038334

Last major update

20-10-2020 - 22:15

Published

18-04-2017 - 14:59

Last modified

20-10-2020 - 22:15