CVE-2022-42890
HIGH7.5EPSS 0.54%Untrusted code execution in Apache XML Graphics Batik
Published: 10/25/2022Modified: 4/28/2026
Description
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
Affected packages (3)
- Debian/batikfrom 0, < 1.12-4+deb11u1
- Maven/org.apache.xmlgraphics:batikfrom 0, < 1.16
- Maven/org.apache.xmlgraphics:batik-bridgefrom 0, < 1.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-42890
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-42890
- WEBhttps://github.com/apache/xmlgraphics-batik/commit/401aa8595f52d085d40ff5b6b4ac0dd372423082
- WEBhttps://github.com/apache/xmlgraphics-batik/commit/52f7a1ad6e3110ec295a35ffc94410eef085707a
- WEBhttps://github.com/apache/xmlgraphics-batik/commit/eada57c716a2757579d53017f8b2aeadaad20edd
- WEBhttps://issues.apache.org/jira/browse/BATIK-1345
- WEBhttps://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly
- WEBhttps://lists.debian.org/debian-lts-announce/2022/10/msg00038.html
- WEBhttps://security.gentoo.org/glsa/202401-11
- WEBhttp://svn.apache.org/repos/asf/xmlgraphics/batik/trunk
- WEBhttps://www.debian.org/security/2022/dsa-5264
- WEBhttps://xmlgraphics.apache.org/security.html
- WEBhttp://www.openwall.com/lists/oss-security/2022/10/25/3