Batik offers several classes for SVG to PNG/JPG conversion, which suffer
from a XML External Entity Injection due to the evaluation of external
entities within the given SVG file. If an application offers the
possibility to upload a SVG file an attacker can put in a malicious
formed file and retrieve sensitive information such as the content of
files of the respective server. The type of file that can be retrieved
depends on the user context in which the application is running.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
any | any | any | java-batik | <ย 1.8-1 | UNKNOWN |