CVE-2022-44730

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
apachexml_graphics_batik
1.0 ≤
𝑥
≤ 1.16
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
batik
bullseye
1.12-4+deb11u2
fixed
bullseye (security)
vulnerable
bookworm
1.16+dfsg-1+deb12u1
fixed
sid
1.18+dfsg-2
fixed
trixie
1.18+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
batik
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/08/22/3
http://www.openwall.com/lists/oss-security/2023/08/22/5
https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
https://security.gentoo.org/glsa/202401-11
https://xmlgraphics.apache.org/security.html
http://www.openwall.com/lists/oss-security/2023/08/22/3
http://www.openwall.com/lists/oss-security/2023/08/22/5
https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
https://security.gentoo.org/glsa/202401-11
https://xmlgraphics.apache.org/security.html