CVE-2022-44730

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
Affected Products (NVD)
VendorProductVersion
apachexml_graphics_batik
1.0 ≤
𝑥
≤ 1.16
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
batik
bookworm
1.16+dfsg-1+deb12u1
fixed
bullseye
1.12-4+deb11u2
fixed
bullseye (security)
vulnerable
sid
1.18+dfsg-2
fixed
trixie
1.18+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
batik
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
ignored
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
xmlgraphics-batik
suse enterprise desktop 15 SP5
1.17-150200.4.7.1
fixed
suse enterprise sap 15 SP5
1.17-150200.4.7.1
fixed
suse enterprise server 15 SP5
1.17-150200.4.7.1
fixed
xmlgraphics-batik-css
suse enterprise desktop 15 SP5
1.17-150200.4.7.1
fixed
suse enterprise sap 15 SP5
1.17-150200.4.7.1
fixed
suse enterprise server 15 SP5
1.17-150200.4.7.1
fixed
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/08/22/3
http://www.openwall.com/lists/oss-security/2023/08/22/5
https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
https://security.gentoo.org/glsa/202401-11
https://xmlgraphics.apache.org/security.html
http://www.openwall.com/lists/oss-security/2023/08/22/3
http://www.openwall.com/lists/oss-security/2023/08/22/5
https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html
https://security.gentoo.org/glsa/202401-11
https://xmlgraphics.apache.org/security.html