content/security.mdtext - xmlgraphics-website - Git at Google

 Title: The Apache(tm) XML Graphics Project - Community

 #The Apache&trade; XML Graphics Project - Security

 ## Published Vulnerabilities { #PublishedVulnerabilities}

 The *Apache&trade; XML Graphics Project* has collected its Security related information for all of its sub-projects to this page.

 ### Apache&trade; Batik Project - Apache Batik Security { #BatikSecurity}

 **Fixed in Batik 1.14**

 medium: SSRF vulnerability CVE-2020-11987

 Issue Public: 2021-02-24

 Update Released: 2021-01-20 (Batik 1.14)

 Affects: 1.13 and earlier

 **Fixed in Batik 1.13**

 medium: SSRF vulnerability CVE-2019-17566

 Issue Public: 2020-06-15

 Update Released: 2020-05-13 (Batik 1.13)

 Affects: 1.12 and earlier

 **Fixed in Batik 1.10**

 medium: Deserialization vulnerability CVE-2018-8013

 Issue Public: 2018-05-23

 Update Released: 2018-05-23 (Batik 1.10)

 Affects: 1.9.1 and earlier

 **Fixed in Batik 1.9**

 medium: XXE vulnerability CVE-2017-5662

 Issue Public: 2017-04-18

 Update Released: 2017-04-10 (Batik 1.9)

 Affects: 1.8 and earlier

 **Fixed in Batik 1.8, 1.7.1 and 1.6.1**

 medium: XXE vulnerability CVE-2015-0250

 Issue Public: 2012-07-25

 Update Released: 2015-03-17 (Batik 1.8) and 2015-05-10 (Batik 1.7.1 and 1.6.1)

 Affects: 1.7, 1.6 and earlier

 ### Apache&trade; FOP Project - Apache FOP Security { #FOPSecurity}

 **Fixed in FOP 2.2**

 medium: XXE vulnerability CVE-2017-5661

 Issue Public: 2017-04-18

 Update Released: 2017-04-10 (FOP 2.2)

 Affects: 2.1 and earlier

 ### Apache&trade; XML Graphics Commons Project - Apache XML Graphics Commons Security { #XMLGraphicsCommonsSecurity}

 **Fixed in Commons 2.6**

 medium: XXE vulnerability CVE-2020-11988

 Issue Public: 2021-02-24

 Update Released: 2021-01-20 (Commons 2.6)

 Affects: 2.4 and earlier

 ##Reporting New Security Problems with the Apache XML Graphics Sub Projects { #ReportingSecurityProblems}

 Please report problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum. See the page of the [ASF Security Team](https://www.apache.org/security/) for further information and contact information.

 **IMPORTANT**

   * **The ASF Security Team cannot accept regular bug reports or other queries. We ask that you use our [bug reporting page](http://xmlgraphics.apache.org/commons/bugs.html) for those.**
   * **All mail sent to the Security Team that does not relate to security problems in Apache software will be ignored.**

 **VERY IMPORTANT**

   * **Do not submit security reports regarding vulnerabilities to our bug reporting system. This may inadvertently publicize the security vulnerability. Instead follow the steps on the [ASF Security Page](https://www.apache.org/security/).**

 ##Security Standards { #SecurityStandards}

 Apache XML Graphics Project vulnerabilities are labeled with [CVE](http://cve.mitre.org/) (Common Vulnerabilities and Exposures) identifiers.
	Title: The Apache(tm) XML Graphics Project - Community

	#The Apache™ XML Graphics Project - Security

	## Published Vulnerabilities { #PublishedVulnerabilities}

	The Apache™ XML Graphics Project has collected its Security related information for all of its sub-projects to this page.

	### Apache™ Batik Project - Apache Batik Security { #BatikSecurity}

	Fixed in Batik 1.14

	medium: SSRF vulnerability CVE-2020-11987

	Issue Public: 2021-02-24

	Update Released: 2021-01-20 (Batik 1.14)

	Affects: 1.13 and earlier

	Fixed in Batik 1.13

	medium: SSRF vulnerability CVE-2019-17566

	Issue Public: 2020-06-15

	Update Released: 2020-05-13 (Batik 1.13)

	Affects: 1.12 and earlier

	Fixed in Batik 1.10

	medium: Deserialization vulnerability CVE-2018-8013

	Issue Public: 2018-05-23

	Update Released: 2018-05-23 (Batik 1.10)

	Affects: 1.9.1 and earlier

	Fixed in Batik 1.9

	medium: XXE vulnerability CVE-2017-5662

	Issue Public: 2017-04-18

	Update Released: 2017-04-10 (Batik 1.9)

	Affects: 1.8 and earlier

	Fixed in Batik 1.8, 1.7.1 and 1.6.1

	medium: XXE vulnerability CVE-2015-0250

	Issue Public: 2012-07-25

	Update Released: 2015-03-17 (Batik 1.8) and 2015-05-10 (Batik 1.7.1 and 1.6.1)

	Affects: 1.7, 1.6 and earlier

	### Apache™ FOP Project - Apache FOP Security { #FOPSecurity}

	Fixed in FOP 2.2

	medium: XXE vulnerability CVE-2017-5661

	Issue Public: 2017-04-18

	Update Released: 2017-04-10 (FOP 2.2)

	Affects: 2.1 and earlier

	### Apache™ XML Graphics Commons Project - Apache XML Graphics Commons Security { #XMLGraphicsCommonsSecurity}

	Fixed in Commons 2.6

	medium: XXE vulnerability CVE-2020-11988

	Issue Public: 2021-02-24

	Update Released: 2021-01-20 (Commons 2.6)

	Affects: 2.4 and earlier

	##Reporting New Security Problems with the Apache XML Graphics Sub Projects { #ReportingSecurityProblems}

	Please report problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum. See the page of the [ASF Security Team](https://www.apache.org/security/) for further information and contact information.

	IMPORTANT

	* The ASF Security Team cannot accept regular bug reports or other queries. We ask that you use our [bug reporting page](http://xmlgraphics.apache.org/commons/bugs.html) for those.
	* All mail sent to the Security Team that does not relate to security problems in Apache software will be ignored.

	VERY IMPORTANT

	* Do not submit security reports regarding vulnerabilities to our bug reporting system. This may inadvertently publicize the security vulnerability. Instead follow the steps on the [ASF Security Page](https://www.apache.org/security/).

	##Security Standards { #SecurityStandards}

	Apache XML Graphics Project vulnerabilities are labeled with [CVE](http://cve.mitre.org/) (Common Vulnerabilities and Exposures) identifiers.