CVE-2022-40146 — Server-Side Request Forgery in Software Foundation Apache XML Graphics

CWE-918 — Server-Side Request Forgery12 documents9 sources

Severity

7.5HIGHNVD

EPSS

47.8%

top 2.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Batik Apache Software Foundation Apache XML Graphics Debian Linux

Timeline

PublishedSep 22

Latest updateMar 19

Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Debianapache/batik< 1.12-4+deb11u3+3

▶Ubuntuapache/batik< 1.10-2~18.04.1+4

▶NVDapache/batik1.14

▶CVEListV5apache_software_foundation/apache_xml_graphicsBatik 1.14

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

batik vulnerabilities↗2023-05-30

▶

GHSA

Apache Batik vulnerable to Server-Side Request Forgery↗2022-09-23

▶

OSV

Apache Batik vulnerable to Server-Side Request Forgery↗2022-09-23

▶

OSV

CVE-2022-40146: Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url↗2022-09-22

▶

CVEList

Jar url should be blocked by DefaultScriptSecurity↗2022-09-22

▶

📋Vendor Advisories

Atlassian

CVE-2022-40146: SSRF (Server-Side Request Forgery) org.apache.xmlgraphics:batik-bridge Dependency in Jira Software Data Center and Serve↗2024-03-19

▶

Ubuntu

Apache Batik vulnerabilities↗2023-05-30

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Apache Batik) — CVE-2022-40146↗2023-04-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Utilities (Apache Batik) — CVE-2022-40146↗2023-01-15

▶

Red Hat

batik: Server-Side Request Forgery (SSRF) vulnerability↗2022-09-22

▶