CVE-2022-42890 – Apache Batik prior to 1.16 allows RCE via scripting
https://notcve.org/view.php?id=CVE-2022-42890
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16. Una vulnerabilidad en Batik de Apache XML Graphics permite a un atacante ejecutar código Java desde un SVG no confiable por medio de JavaScript. Este problema afecta a Apache XML Graphics versiones anteriores a 1.16. • http://www.openwall.com/lists/oss-security/2022/10/25/3 https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html https://security.gentoo.org/glsa/202401-11 https://www.debian.org/security/2022/dsa-5264 https://access.redhat.com/security/cve/CVE-2022-42890 https://bugzilla.redhat.com/show_bug.cgi?id=2182183 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-41704 – Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input
https://notcve.org/view.php?id=CVE-2022-41704
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16. Una vulnerabilidad en Batik de Apache XML Graphics permite a un atacante ejecutar código Java no confiable desde un SVG. Este problema afecta a Apache XML Graphics versiones anteriores a 1.16. • http://www.openwall.com/lists/oss-security/2022/10/25/2 https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html https://security.gentoo.org/glsa/202401-11 https://www.debian.org/security/2022/dsa-5264 https://access.redhat.com/security/cve/CVE-2022-41704 https://bugzilla.redhat.com/show_bug.cgi?id=2182182 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-38648 – PDFTranscoder does not block external resources
https://notcve.org/view.php?id=CVE-2022-38648
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante conseguir recursos externos. Este problema afecta a Batik de Apache XML Graphics versión 1.14 • https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://access.redhat.com/security/cve/CVE-2022-38648 https://bugzilla.redhat.com/show_bug.cgi?id=2155295 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-40146 – Jar url should be blocked by DefaultScriptSecurity
https://notcve.org/view.php?id=CVE-2022-40146
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante acceder a archivos usando una url de Jar. Este problema afecta a Batik de Apache XML Graphics versión 1.14 This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apache Batik. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the DefaultScriptSecurity class. • https://github.com/soulfoodisgood/CVE-2022-40146 https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://access.redhat.com/security/cve/CVE-2022-40146 https://bugzilla.redhat.com/show_bug.cgi?id=2155291 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-38398 – Server-Side Request Forgery Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-38398
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante cargar una url mediante el protocolo jar. Este problema afecta a Batik de Apache XML Graphics versión 1.14 This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apache Batik. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the DefaultExternalResourceSecurity class. • https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html https://security.gentoo.org/glsa/202401-11 https://access.redhat.com/security/cve/CVE-2022-38398 https://bugzilla.redhat.com/show_bug.cgi?id=2155292 • CWE-918: Server-Side Request Forgery (SSRF) •