CVE-2015-0250 — batik - security update

Description

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

How to fix CVE-2015-0250

To remediate CVE-2015-0250, upgrade the affected package to a fixed version below.

Debian/batik—upgrade to 1.7+dfsg-5 or later
Debian/batik—upgrade to 1.7-6+deb6u1 or later
Debian/batik—upgrade to 1.7+dfsg-3+deb7u1 or later
—upgrade to 1.8 or later

Is CVE-2015-0250 being exploited?

Low — EPSS is 2.9%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.7+dfsg-5
from 0, < 1.7-6+deb6u1
from 0, < 1.7+dfsg-3+deb7u1
>= 1.0, < 1.8

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0250
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-0250
WEBadvisories.mageia.org/MGASA-2015-0138.html
WEBpacketstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html
WEB