CVE-2022-44729
HIGH7.1EPSS 0.12%Apache XML Graphics Batik Server-Side Request Forgery vulnerability
Published: 8/22/2023Modified: 4/28/2026
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
Affected packages (4)
- Debian/batikfrom 0, < 1.12-4+deb11u2
- Maven/org.apache.xmlgraphics:batik-bridge>= 1.0, < 1.17
- Maven/org.apache.xmlgraphics:batik-svgrasterizer>= 1.0, < 1.17
- Maven/org.apache.xmlgraphics:batik-transcoder>= 1.0, < 1.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-44729
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-44729
- PATCHhttps://github.com/apache/xmlgraphics-batik
- WEBhttps://github.com/apache/xmlgraphics-batik/commit/85b3457d9902f64d5d409a8da060d5ba47d0b69b
- WEBhttps://github.com/apache/xmlgraphics-batik/commit/aaa1dd3e6b5a7df781d73e0c37a1df6a8f318893
- WEBhttps://issues.apache.org/jira/browse/BATIK-1349
- WEBhttps://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2
- WEBhttps://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
- WEBhttps://security.gentoo.org/glsa/202401-11
- WEBhttps://xmlgraphics.apache.org/security.html
- WEBhttp://www.openwall.com/lists/oss-security/2023/08/22/2
- WEBhttp://www.openwall.com/lists/oss-security/2023/08/22/4