CVE-2022-44729 — Server-Side Request Forgery in Batik

CWE-918 — Server-Side Request Forgery10 documents8 sources

Severity

7.1HIGHNVD

EPSS

0.1%

top 69.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Batik Debian Batik Apache XML Graphics Batik +3 more

Timeline

PublishedAug 22

Latest updateSep 18

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages5 packages

▶CVEListV5apache_software_foundation/apache_xml_graphics_batik1.16

▶NVDapache/xml_graphics_batik1.0 — 1.16

▶Debianapache/batik< 1.12-4+deb11u2+3

▶debiandebian/batik< batik 1.16+dfsg-1+deb12u1 (bookworm)

▶atlassianatlassian/jira_service_management

Also affects: Debian Linux 10.0

🔴Vulnerability Details

GHSA

Apache XML Graphics Batik Server-Side Request Forgery vulnerability↗2023-08-22

▶

OSV

CVE-2022-44729: Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik↗2023-08-22

▶

OSV

Apache XML Graphics Batik Server-Side Request Forgery vulnerability↗2023-08-22

▶

📋Vendor Advisories

CISA ICS

Hitachi Energy Asset Suite↗2025-09-18

▶

Atlassian

CVE-2022-44729: SSRF org.apache.xmlgraphics:batik-bridge Dependency in Jira Service Management Data Center and Server↗2024-01-16

▶

Oracle

Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Apache Batik) — CVE-2022-44729↗2024-01-15

▶

Oracle

Oracle Oracle Database Server Risk Matrix: Oracle Spatial and Graph (Apache Batik) — CVE-2022-44729↗2023-10-15

▶

Red Hat

batik: Server-Side Request Forgery vulnerability↗2023-08-22

▶