CVE-2025-68280
BaseFortify
Publication date: 2026-01-05
Last updated on: 2026-01-08
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | sis | From 0.4 (inc) to 1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Restriction of XML External Entity (XXE) Reference in Apache SIS. It allows an attacker to craft XML files that, when parsed by Apache SIS, can reveal the content of local files on the server running Apache SIS. This affects several services within Apache SIS that parse XML data, including reading GeoTIFF files with GEO_METADATA tags, parsing ISO 19115 metadata, parsing Coordinate Reference Systems in GML format, and parsing GPS Exchange Format (GPX) files.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive local files on the server running Apache SIS. An attacker can exploit this to access confidential information stored on the server, potentially leading to data breaches or further attacks leveraging the exposed data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade Apache SIS to version 1.6 or later, which fixes the issue. If upgrading is not possible right away, you can avoid the vulnerability by launching Java with the system property javax.xml.accessExternalDTD set to a comma-separated list of authorized protocols, for example: java -Djavax.xml.accessExternalDTD="" ...