2233899 – (CVE-2022-44730) CVE-2022-44730 batik: Server-Side Request Forgery vulnerability

Bug 2233899 (CVE-2022-44730) - CVE-2022-44730 batik: Server-Side Request Forgery vulnerability

Summary: CVE-2022-44730 batik: Server-Side Request Forgery vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2022-44730
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2234660 2233902 2233903 2234661
Blocks:	2233900
TreeView+	depends on / blocked

Reported:	2023-08-23 16:34 UTC by Guilherme de Almeida Suckevicz
Modified:	2024-04-30 23:00 UTC (History)
CC List:	52 users (show)
Fixed In Version:	batik 1.17
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Apache Batik, where a malicious SVG can probe user profile data and send it directly as parameter to a URL. This issue can allow an attacker to conduct SSRF attacks.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:5441	0	None	None	None	2023-10-04 11:59:33 UTC
Red Hat Product Errata	RHSA-2024:1353	0	None	None	None	2024-03-18 09:48:20 UTC

Description Guilherme de Almeida Suckevicz 2023-08-23 16:34:22 UTC

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

References:
https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0
https://xmlgraphics.apache.org/security.html
http://www.openwall.com/lists/oss-security/2023/08/22/3
http://www.openwall.com/lists/oss-security/2023/08/22/5

Comment 2 TEJ RATHI 2023-08-24 09:25:26 UTC

Versions Affected: Batik 1.0 - 1.16

References: 
https://issues.apache.org/jira/browse/BATIK-1347
https://github.com/advisories/GHSA-2474-2566-3qxp
https://github.com/apache/xmlgraphics-batik/commit/f9ae69233eadfbd392a4a08a55618f97343b467c

Comment 4 TEJ RATHI 2023-08-25 07:24:16 UTC

Created batik tracking bugs for this issue:

Affects: fedora-all [bug 2234660]

Comment 6 errata-xmlrpc 2023-10-04 11:59:30 UTC

This issue has been addressed in the following products:

  RHINT Camel-Springboot 4.0.0

Via RHSA-2023:5441 https://access.redhat.com/errata/RHSA-2023:5441

Comment 8 errata-xmlrpc 2024-03-18 09:48:17 UTC

This issue has been addressed in the following products:

  RHPAM 7.13.5 async

Via RHSA-2024:1353 https://access.redhat.com/errata/RHSA-2024:1353

Note You need to log in before you can comment on or make changes to this bug.

adupliak
aileenc
alampare
alazarot
almacdon
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
cmiranda
darran.lofthouse
desktop-qa-list
dhanak
dkreling
dosoudil
emingora
fjuma
fmariani
gjospin
gmalinko
ibek
ivassile
iweiss
janstey
jkang
jpoth
jrokos
jvanek
kverlaen
lbacciot
lgao
mizdebsk
mnovotny
mosmerov
msochure
mstefank
msvehla
nwallace
pcongius
pdelbell
peholase
pjindal
pmackay
rguimara
rstancel
saroy
smaestri
tcunning
tom.jenkinson
yfang