What is CVE-2015-0250?

CVE-2015-0250 is a vulnerability in Apache Batik. Published 2015-03-24.

Is CVE-2015-0250 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Batik

CVE-2015-0250

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

EPSS: 0.029 (86.7th percentile) — read the EPSS interpretation.

Affected products

Apache Batik
Canonical Ubuntu_linux — versions 12.04, 14.04, 14.10
Redhat Jboss_enterprise_brms_platform
N/a — versions n/a

Public proof-of-concept exploits

References

USN-2548-1 (x_refsource_UBUNTU, vendor-advisory, Patch)
secalert@redhat.com (x_refsource_CONFIRM)
MDVSA-2015:203 (vendor-advisory, x_refsource_MANDRIVA)
DSA-3205 (vendor-advisory, x_refsource_DEBIAN)
1032781 (vdb-entry, x_refsource_SECTRACK)
secalert@redhat.com (x_refsource_CONFIRM)
20150322 [CVE-2015-0250] Apache Batik Information Disclosure Vulnerability (XXE Injection) (mailing-list, Exploit, x_refsource_FULLDISC)
RHSA-2016:0042 (x_refsource_REDHAT, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Vendor Advisory)
RHSA-2016:0041 (x_refsource_REDHAT, vendor-advisory)

Frequently asked questions

What is CVE-2015-0250?: CVE-2015-0250 is a vulnerability in Apache Batik. Published 2015-03-24.
Is CVE-2015-0250 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.