CVE-2022-44729
HIGH7.1EPSS 0.12%Apache XML Graphics Batik Server-Side Request Forgery vulnerability
發布日:2023/8/22修改日:2026/4/28
描述
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
受影響套件(4)
- Debian/batikfrom 0, < 1.12-4+deb11u2
- Maven/org.apache.xmlgraphics:batik-bridge>= 1.0, < 1.17
- Maven/org.apache.xmlgraphics:batik-svgrasterizer>= 1.0, < 1.17
- Maven/org.apache.xmlgraphics:batik-transcoder>= 1.0, < 1.17
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
參考連結(12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-44729
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-44729
- PATCHhttps://github.com/apache/xmlgraphics-batik
- WEBhttps://github.com/apache/xmlgraphics-batik/commit/85b3457d9902f64d5d409a8da060d5ba47d0b69b
- WEBhttps://github.com/apache/xmlgraphics-batik/commit/aaa1dd3e6b5a7df781d73e0c37a1df6a8f318893
- WEBhttps://issues.apache.org/jira/browse/BATIK-1349
- WEBhttps://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2
- WEBhttps://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
- WEBhttps://security.gentoo.org/glsa/202401-11
- WEBhttps://xmlgraphics.apache.org/security.html
- WEBhttp://www.openwall.com/lists/oss-security/2023/08/22/2
- WEBhttp://www.openwall.com/lists/oss-security/2023/08/22/4