CVE-2022-41704

CWE-918 — Server-Side Request Forgery (SSRF)10 documents8 sources

Severity

7.5HIGH

EPSS

0.4%

top 40.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Batik Apache Software Foundation Apache XML Graphics Debian Debian Linux

Timeline

PublishedOct 25

Latest updateMar 19

Description

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Mavenorg.apache.xmlgraphics:batik< 1.16

▶CVEListV5apache_software_foundation/apache_xml_graphicsBatik — 1.15

▶NVDapache/batik1.0 — 1.16

▶Debianbatik< 1.12-4+deb11u1+3

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

OSV

batik vulnerabilities↗2023-05-30

▶

OSV

CVE-2022-41704: A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG↗2022-10-25

▶

CVEList

Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input↗2022-10-25

▶

OSV

Apache XML Graphics Batik vulnerable to code execution via SVG.↗2022-10-25

▶

GHSA

Apache XML Graphics Batik vulnerable to code execution via SVG.↗2022-10-25

▶

📋Vendor Advisories

Atlassian

CVE-2022-41704: RCE (Remote Code Execution) org.apache.xmlgraphics:batik-bridge Dependency in Jira Software Data Center and Server↗2024-03-19

▶

Ubuntu

Apache Batik vulnerabilities↗2023-05-30

▶

Red Hat

batik: Apache XML Graphics Batik vulnerable to code execution via SVG↗2022-10-25

▶

Debian

CVE-2022-41704: batik - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrus...↗2022

▶