Moderate severityNVD Advisory· Published Mar 24, 2015· Updated May 6, 2026

CVE-2015-0250

Description

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.xmlgraphics:batikMaven	>= 1.0, < 1.8	1.8

Affected products

Apache/Batik
cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*
Range: <=1.7
Red Hat/Jboss Enterprise Brms Platform
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*
Range: <=6.1.2
Canonical (company)/Ubuntu Linux3 versions
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.ubuntu.com/usn/USN-2548-1nvdPatchWEB
seclists.org/fulldisclosure/2015/Mar/142nvdExploitWEB
xmlgraphics.apache.org/security.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-wfw6-mmmp-87xmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-0250ghsaADVISORY
advisories.mageia.org/MGASA-2015-0138.htmlnvdWEB
packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.htmlnvdWEB
rhn.redhat.com/errata/RHSA-2016-0041.htmlnvdWEB
rhn.redhat.com/errata/RHSA-2016-0042.htmlnvdWEB
www-01.ibm.com/support/docview.wssnvdWEB
www.debian.org/security/2015/dsa-3205nvdWEB
www.mandriva.com/security/advisoriesnvdWEB
www.securitytracker.com/id/1032781nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000