CVE-2017-5661
HIGHApache FOP < 2.2 - XML External Entity Injection via Malicious SVG File
Title source: llmDescription
In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
References (4)
Core 4
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3864
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97947
Patch, Vendor Advisory x_refsource_confirm
https://xmlgraphics.apache.org/security.html
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2021-14
Scores
CVSS v3
7.3
EPSS
0.0245
EPSS Percentile
85.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Details
CWE
CWE-611
Status
published
Products (3)
apache/formatting_objects_processor
< 2.1
Apache Software Foundation/Apache FOP
before 2.2
org.apache.xmlgraphics/fop
0 - 2.2Maven
Published
Apr 18, 2017
Tracked Since
Feb 18, 2026