CVE-2022-44729

HIGH

Apache XML Graphics Batik 1.16 - Server-Side Request Forgery via Malicious SVG

Title source: llm

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

References (6)

Core 6

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2023/08/22/2

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2023/08/22/4

Mailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html

Vendor Advisory

https://xmlgraphics.apache.org/security.html

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2

Third Party Advisory

https://security.gentoo.org/glsa/202401-11

Scores

CVSS v3 7.1

EPSS 0.0012

EPSS Percentile 30.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Details

CWE

CWE-918

Status published

Products (5)

apache/xml_graphics_batik 1.0 - 1.16

debian/debian_linux 10.0

org.apache.xmlgraphics/batik-bridge 1.0 - 1.17Maven

org.apache.xmlgraphics/batik-svgrasterizer 1.0 - 1.17Maven

org.apache.xmlgraphics/batik-transcoder 1.0 - 1.17Maven

Published Aug 22, 2023

Tracked Since Feb 18, 2026