Bug 2233889 (CVE-2022-44729) - CVE-2022-44729 batik: Server-Side Request Forgery vulnerability
Summary: CVE-2022-44729 batik: Server-Side Request Forgery vulnerability
Keywords:
Status: NEW
Alias: CVE-2022-44729
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2234660 2233904 2234661
Blocks: 2233900
TreeView+ depends on / blocked
 
Reported: 2023-08-23 16:28 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-04-30 23:00 UTC (History)
52 users (show)

Fixed In Version: batik 1.17
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Batik 1.0 - 1.16. This issue occurs due to a malicious SVG triggering external resources loading by default, causing resource consumption or in some cases information disclosure.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5441 0 None None None 2023-10-04 11:59:32 UTC
Red Hat Product Errata RHSA-2024:1353 0 None None None 2024-03-18 09:48:21 UTC

Description Guilherme de Almeida Suckevicz 2023-08-23 16:28:57 UTC 
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

References:
https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2
https://xmlgraphics.apache.org/security.html
http://www.openwall.com/lists/oss-security/2023/08/22/4
http://www.openwall.com/lists/oss-security/2023/08/22/2
Comment 2 TEJ RATHI 2023-08-24 09:23:14 UTC 
Versions Affected: Batik 1.0 - 1.16

References: 
https://issues.apache.org/jira/browse/BATIK-1349
https://github.com/advisories/GHSA-gq5f-xv48-2365
https://github.com/apache/xmlgraphics-batik/commit/85b3457d9902f64d5d409a8da060d5ba47d0b69b
https://github.com/apache/xmlgraphics-batik/commit/aaa1dd3e6b5a7df781d73e0c37a1df6a8f318893
Comment 4 TEJ RATHI 2023-08-25 07:24:34 UTC 
Created batik tracking bugs for this issue:

Affects: fedora-all [bug 2234660]
Comment 6 errata-xmlrpc 2023-10-04 11:59:29 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.0

Via RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441
Comment 8 errata-xmlrpc 2024-03-18 09:48:18 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.5 async

Via RHSA-2024:1353 https://access.redhat.com/errata/RHSA-2024:1353
Note You need to log in before you can comment on or make changes to this bug.