Apache batik is susceptible to denial of service (DoS) or file disclosure through XML external entities (XXE). The attacks are possible because it does not prevent dereferencing of XML external entities in the DTD
and revealing the content of the target file in the output.
advisories.mageia.org/MGASA-2015-0138.html
advisories.mageia.org/MGASA-2015-0138.html
packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html
packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html
rhn.redhat.com/errata/RHSA-2016-0041.html
rhn.redhat.com/errata/RHSA-2016-0041.html
rhn.redhat.com/errata/RHSA-2016-0042.html
rhn.redhat.com/errata/RHSA-2016-0042.html
seclists.org/fulldisclosure/2015/Mar/142
www-01.ibm.com/support/docview.wss?uid=swg21963275
www-01.ibm.com/support/docview.wss?uid=swg21963275
www.debian.org/security/2015/dsa-3205
www.debian.org/security/2015/dsa-3205
www.mandriva.com/security/advisories?name=MDVSA-2015:203
www.mandriva.com/security/advisories?name=MDVSA-2015:203
www.securitytracker.com/id/1032781
www.securitytracker.com/id/1032781
www.ubuntu.com/usn/USN-2548-1
www.ubuntu.com/usn/USN-2548-1
xmlgraphics.apache.org/security.html
github.com/apache/batik/commit/1e12686194370b22420da705d71af66161affa33
issues.apache.org/jira/browse/BATIK-1018