{
  "threat_severity" : "Moderate",
  "public_date" : "2012-07-25T00:00:00Z",
  "bugzilla" : {
    "description" : "batik: XML External Entity (XXE) injection in SVG parsing",
    "id" : "1203762",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1203762"
  },
  "cvss" : {
    "cvss_base_score" : "5.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-611",
  "details" : [ "XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.", "It was found that batik was vulnerable to XML External Entity attacks when parsing SVG files. A remote attacker able to send malicious SVG content to the affected server could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks." ],
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss BPMS 6.1",
    "release_date" : "2016-01-14T00:00:00Z",
    "advisory" : "RHSA-2016:0042",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.1",
    "package" : "batik"
  }, {
    "product_name" : "Red Hat JBoss BPMS 6.2",
    "release_date" : "2015-12-07T00:00:00Z",
    "advisory" : "RHSA-2015:2560",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.2",
    "package" : "batik"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.1",
    "release_date" : "2016-01-14T00:00:00Z",
    "advisory" : "RHSA-2016:0041",
    "cpe" : "cpe:/a:redhat:jboss_brms:6.1",
    "package" : "batik"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.2",
    "release_date" : "2015-12-07T00:00:00Z",
    "advisory" : "RHSA-2015:2559",
    "cpe" : "cpe:/a:redhat:jboss_brms:6.2",
    "package" : "batik"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "batik",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "batik",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Will not fix",
    "package_name" : "jasperreports-server-pro",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Affected",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "batik",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Not affected",
    "package_name" : "jboss-eap6-modules",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Not affected",
    "package_name" : "openshift-origin-cartridge-fuse",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-java-common-batik",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-0250\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-0250\nhttp://xmlgraphics.apache.org/security.html" ],
  "name" : "CVE-2015-0250",
  "csaw" : false
}