CVE-2022-44729 – Apache XML Graphics Batik: Information disclosure vulnerability
https://notcve.org/view.php?id=CVE-2022-44729
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later. A flaw was found in Apache Batik 1.0 - 1.16. This issue occurs due to a malicious SVG triggering external resources loading by default, causing resource consumption or in some cases information disclosure. • http://www.openwall.com/lists/oss-security/2023/08/22/2 http://www.openwall.com/lists/oss-security/2023/08/22/4 https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2 https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://xmlgraphics.apache.org/security.html https://access.redhat.com/security/cve/CVE-2022-44729 https://bugzilla.redhat.com/show_bug.cgi?id=2233889 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-44730 – Apache XML Graphics Batik: Information disclosure vulnerability
https://notcve.org/view.php?id=CVE-2022-44730
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL. A flaw was found in Apache Batik, where a malicious SVG can probe user profile data and send it directly as parameter to a URL. This issue can allow an attacker to conduct SSRF attacks. • http://www.openwall.com/lists/oss-security/2023/08/22/3 http://www.openwall.com/lists/oss-security/2023/08/22/5 https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0 https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://xmlgraphics.apache.org/security.html https://access.redhat.com/security/cve/CVE-2022-44730 https://bugzilla.redhat.com/show_bug.cgi?id=2233899 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-42890 – Apache Batik prior to 1.16 allows RCE via scripting
https://notcve.org/view.php?id=CVE-2022-42890
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16. Una vulnerabilidad en Batik de Apache XML Graphics permite a un atacante ejecutar código Java desde un SVG no confiable por medio de JavaScript. Este problema afecta a Apache XML Graphics versiones anteriores a 1.16. • http://www.openwall.com/lists/oss-security/2022/10/25/3 https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html https://security.gentoo.org/glsa/202401-11 https://www.debian.org/security/2022/dsa-5264 https://access.redhat.com/security/cve/CVE-2022-42890 https://bugzilla.redhat.com/show_bug.cgi?id=2182183 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-41704 – Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input
https://notcve.org/view.php?id=CVE-2022-41704
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16. Una vulnerabilidad en Batik de Apache XML Graphics permite a un atacante ejecutar código Java no confiable desde un SVG. Este problema afecta a Apache XML Graphics versiones anteriores a 1.16. • http://www.openwall.com/lists/oss-security/2022/10/25/2 https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html https://security.gentoo.org/glsa/202401-11 https://www.debian.org/security/2022/dsa-5264 https://access.redhat.com/security/cve/CVE-2022-41704 https://bugzilla.redhat.com/show_bug.cgi?id=2182182 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-38648 – PDFTranscoder does not block external resources
https://notcve.org/view.php?id=CVE-2022-38648
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante conseguir recursos externos. Este problema afecta a Batik de Apache XML Graphics versión 1.14 • https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://access.redhat.com/security/cve/CVE-2022-38648 https://bugzilla.redhat.com/show_bug.cgi?id=2155295 • CWE-918: Server-Side Request Forgery (SSRF) •