apache

batik

8 known vulnerabilities · sorted by CVSS score

CVE-2018-8013

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

apache / batik+40

Network

Published May 24, 2018

CVE-2020-11987

HIGH8.2

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

apache / batik+36

Network

Published Feb 24, 2021

CVE-2022-42890

HIGH7.5

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

apache / batik+2

Network

Published Oct 25, 2022

CVE-2022-40146

HIGH7.5

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

apache / batik+1

Network

Published Sep 22, 2022

CVE-2022-41704

HIGH7.5

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

apache / batik+2

Network

Published Oct 25, 2022

CVE-2019-17566

HIGH7.5

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

apache / batik+24

Network

Published Nov 12, 2020

CVE-2022-38648

MEDIUM5.3

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.

apache / batik+1

Network

Published Sep 22, 2022

CVE-2022-38398

MEDIUM5.3

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

apache / batik+1

Network

Published Sep 22, 2022