Apache Batik is vulnerable to information disclosure through an external XML entity (XXE) vulnerability. The vulnerability is possible because it does not properly validate the file when handling a maliciously formed SVG
file. Using this flaw, attackers can gain access to confidential information and private files. The XXE can also be used to trigger an XML entity expansion to consume all the system’s memory, crashing it and causing a denial of service (DoS) condition.
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.securityfocus.com/bid/97948
www.securitytracker.com/id/1038334
access.redhat.com/errata/RHSA-2017:2546
access.redhat.com/errata/RHSA-2017:2547
access.redhat.com/errata/RHSA-2018:0319
github.com/apache/batik/compare/e2200fd50e424f6e132ec86ba65bb0b0805ca4d3...6ab669f073c23a443d78a7a08aea2fd4de10da8c
issues.apache.org/jira/browse/BATIK-1113
issues.apache.org/jira/browse/BATIK-1139
www.debian.org/security/2018/dsa-4215
www.oracle.com/security-alerts/cpuoct2020.html
www.sourceclear.com/registry/security/xml-external-entity-xxe-injection/java/sid-3891
xmlgraphics.apache.org/security.html