Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607720 (CVE-2017-5617) - dev-java/svgsalamander: SSRF (Server-Side Request Forgery) vulnerability
Summary: dev-java/svgsalamander: SSRF (Server-Side Request Forgery) vulnerability
Alias: CVE-2017-5617
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [upstream cve]
Keywords: PMASKED
Depends on:
Reported: 2017-01-30 13:54 UTC by Thomas Deutschmann
Modified: 2019-08-14 19:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-30 13:54:09 UTC
From $URL:

If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.

The attacker can send a specially crafted svg file, for example

> <svg width="5cm" height="4cm" version="1.1"
>     xmlns="" xmlns:xlink= "http://www.w3.or /1999/xlink">
> 	<image xlink:href="https://host-in-the-trusted-network.invalid/test.jpg" x="0" y="0" height="50px" width="50px"/>
> </svg>

and the lib will send the request inside the trusted network to the (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.
Comment 1 D'juan McDonald (domhnall) 2018-09-11 02:11:05 UTC
According to the upstream ticket, this is now fixed via

in version 1.1.2. See for further discussion about the fix.
Comment 2 Larry the Git Cow gentoo-dev 2019-08-14 19:58:40 UTC
The bug has been referenced in the following commit(s):

commit 23e4ebd36288a78038ba403891819de76fb2d94f
Author:     Aaron Bauman <>
AuthorDate: 2019-08-14 19:58:03 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-08-14 19:58:03 +0000

    profiles/package.mask: mask dev-java/svgsalamander
    * 1 rdep
    Signed-off-by: Aaron Bauman <>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)