Debian Batik vulnerabilities

13 known vulnerabilities affecting debian/batik.

Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH7MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2022-44729HIGHCVSS 7.1fixed in batik 1.16+dfsg-1+deb12u1 (bookworm)2022
CVE-2022-44729 [HIGH] CVE-2022-44729: batik - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation A... Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or
debian
CVE-2022-40146HIGHCVSS 7.5fixed in batik 1.15+dfsg-1 (bookworm)2022
CVE-2022-40146 [HIGH] CVE-2022-40146: batik - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics... Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. Scope: local bookworm: resolved (fixed in 1.15+dfsg-1) bullseye: resolved (fixed in 1.12-4+deb11u3) forky: resolved (fixed in 1.15+dfsg-1) sid: resolved (fixed in 1.15+dfsg-1) trixie: re
debian
CVE-2022-42890HIGHCVSS 7.5fixed in batik 1.16+dfsg-1 (bookworm)2022
CVE-2022-42890 [HIGH] CVE-2022-42890: batik - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java c... A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16. Scope: local bookworm: resolved (fixed in 1.16+dfsg-1) bullseye: resolved (fixed in 1.12-4+deb11u1) forky: resolved (fixed in 1.16+dfsg-1) sid: res
debian
CVE-2022-41704HIGHCVSS 7.5fixed in batik 1.16+dfsg-1 (bookworm)2022
CVE-2022-41704 [HIGH] CVE-2022-41704: batik - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrus... A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16. Scope: local bookworm: resolved (fixed in 1.16+dfsg-1) bullseye: resolved (fixed in 1.12-4+deb11u1) forky: resolved (fixed in 1.16+dfsg-1) sid: resolved (fixed in 1
debian
CVE-2022-44730MEDIUMCVSS 4.4fixed in batik 1.16+dfsg-1+deb12u1 (bookworm)2022
CVE-2022-44730 [MEDIUM] CVE-2022-44730: batik - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation A... Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL. Scope: local bookworm: resolved (fixed in 1.16+dfsg-1+deb12u1) bullseye: resolved (fixed in 1.12-4+deb11u2) forky: resolv
debian
CVE-2022-38648MEDIUMCVSS 5.3fixed in batik 1.15+dfsg-1 (bookworm)2022
CVE-2022-38648 [MEDIUM] CVE-2022-38648: batik - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics... Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. Scope: local bookworm: resolved (fixed in 1.15+dfsg-1) bullseye: resolved (fixed in 1.12-4+deb11u3) forky: resolved (fixed in 1.15+dfsg-1) sid: resolved (fixed in 1.15+dfsg-1) trixie: reso
debian
CVE-2022-38398MEDIUMCVSS 5.3fixed in batik 1.15+dfsg-1 (bookworm)2022
CVE-2022-38398 [MEDIUM] CVE-2022-38398: batik - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics... Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. Scope: local bookworm: resolved (fixed in 1.15+dfsg-1) bullseye: resolved (fixed in 1.12-4+deb11u3) forky: resolved (fixed in 1.15+dfsg-1) sid: resolved (fixed in 1.15+dfsg-1) trix
debian
CVE-2020-11987HIGHCVSS 8.2fixed in batik 1.14-1 (bookworm)2020
CVE-2020-11987 [HIGH] CVE-2020-11987: batik - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improp... Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Scope: local bookworm: resolved (fixed in 1.14-1) bullseye: resolved (fixed in 1.12-4+deb11u3) fork
debian
CVE-2019-17566HIGHCVSS 7.5fixed in batik 1.12-1.1 (bookworm)2019
CVE-2019-17566 [HIGH] CVE-2019-17566: batik - Apache Batik is vulnerable to server-side request forgery, caused by improper in... Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Scope: local bookworm: resolved (fixed in 1.12-1.1) bullseye: resolved (fixed in 1.12-1.1) forky
debian
CVE-2018-8013CRITICALCVSS 9.8fixed in batik 1.10-1 (bookworm)2018
CVE-2018-8013 [CRITICAL] CVE-2018-8013: batik - In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocumen... In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization. Scope: local bookworm: resolved (fixed in 1.10-1) bullseye: resolved (fixed in
debian
CVE-2017-5662HIGHCVSS 7.3fixed in batik 1.9-1 (bookworm)2017
CVE-2017-5662 [HIGH] CVE-2017-5662: batik - In Apache Batik before 1.9, files lying on the filesystem of the server which us... In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - wo
debian
CVE-2015-0250MEDIUMCVSS 6.4fixed in batik 1.7+dfsg-5 (bookworm)2015
CVE-2015-0250 [MEDIUM] CVE-2015-0250: batik - XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conver... XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. Scope: local bookworm: resolved (fixed in 1.7+dfsg-5) bullseye: resolved (fixed in 1.7+dfsg-5) forky: resolved (fixed in 1.7+dfsg-5) sid: resolve
debian
CVE-2005-0508MEDIUMCVSS 4.6fixed in batik 1.5.1-1 (bookworm)2005
CVE-2005-0508 [MEDIUM] CVE-2005-0508: batik - Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to byp... Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue." Scope: local bookworm: resolved (fixed in 1.5.1-1) bullseye: resolved (fixed in 1.5.1-1) forky: resolved (fixed in 1.5.1-1) sid: resolved (fixed in 1.5.1-1) trixie: resolved (fi
debian