CVE-2022-42890

CWE-918 — Server-Side Request Forgery (SSRF)14 documents9 sources

Severity

7.5HIGH

EPSS

0.4%

top 40.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Batik Apache Software Foundation Apache XML Graphics Debian Debian Linux

Timeline

PublishedOct 25

Latest updateJul 15

Description

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶Mavenorg.apache.xmlgraphics:batik< 1.16

▶Mavenorg.apache.xmlgraphics:batik-bridge< 1.16

▶CVEListV5apache_software_foundation/apache_xml_graphicsBatik — 1.15

▶NVDapache/batik1.0 — 1.16

▶Debianbatik< 1.12-4+deb11u1+3

Also affects: Debian Linux 10.0, 11.0

🔴Vulnerability Details

OSV

batik vulnerabilities↗2023-05-30

▶

CVEList

Apache Batik prior to 1.16 allows RCE via scripting↗2022-10-25

▶

OSV

Untrusted code execution in Apache XML Graphics Batik↗2022-10-25

▶

GHSA

Untrusted code execution in Apache XML Graphics Batik↗2022-10-25

▶

OSV

CVE-2022-42890: A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript↗2022-10-25

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Security (Apache Batik) — CVE-2022-42890↗2024-07-15

▶

Oracle

Oracle Oracle Analytics Risk Matrix: Analytics Web General (Apache Batik) — CVE-2022-42890↗2024-04-15

▶

Atlassian

CVE-2022-42890: RCE (Remote Code Execution) org.apache.xmlgraphics:batik-script Dependency in Jira Software Data Center and Server↗2024-03-19

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Reports (Apache Batik) — CVE-2022-42890↗2023-07-15

▶

Ubuntu

Apache Batik vulnerabilities↗2023-05-30

▶