N/A

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

N/A

N/A

Apache Batik 代码问题漏洞

Apache Batik（又名Batik SVG Toolkit或Batik Java SVG Toolkit）是美国阿帕奇（Apache）软件基金会的一套基于Java的主要用于处理SVG格式图像的应用程序。 Apache Batik 1.9之前的版本中存在安全漏洞。远程攻击者可通过发送恶意的SVG文件利用该漏洞获取信息或造成拒绝服务。

N/A

N/A