[MAVEN:GHSA-5HG8-R9VQ-GJQP] Improper Restriction of XML External Entity Reference in Apache FOP

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

Package	Affected Version
pkg:maven/org.apache.xmlgraphics/fop	< 2.2

Package	Fixed Version
pkg:maven/org.apache.xmlgraphics/fop	= 2.2

ID

MAVEN:GHSA-5HG8-R9VQ-GJQP

Severity

high

URL

https://github.com/advisories/GHSA-5hg8-r9vq-gjqp

Published

2022-05-13T01:07:54
(2 years ago)

Modified

2023-01-27T05:02:18
(20 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2017-5661
			https://www.tenable.com/security/tns-2021-14
			https://xmlgraphics.apache.org/security.html
			http://www.debian.org/security/2017/dsa-3864
			http://www.securityfocus.com/bid/97947
			https://github.com/advisories/GHSA-5hg8-r9vq-gjqp

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.xmlgraphics/fop	org.apache.xmlgraphics	fop	< 2.2
Fixed	pkg:maven/org.apache.xmlgraphics/fop	org.apache.xmlgraphics	fop	= 2.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date