CVE-2022-44729 Apache XML Graphics Batik v1.16 Server-Side Request Forgery vulnerability

[nkshschdv]

Microsoft Defender for cloud on Azure has detected a vulnerability CVE-2022-44729 in apache-jmeter-5.6.3 Please find report below `Critical and High severity vulnerabilities detected in your CNAB bundle by scanning referenced images with Microsoft Defender for Cloud. To know more about the vulnerability scanning process go to https://aka.ms/Container-Certification-Vulnerability-Found. Details about the Vulnerabilities detected are: Source image: xxxxxxxx.azurecr.io/xxxxxxx Image digestId: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx VulnerabilityId: 994981 CVSS version 3 score: 7.1 CVE Ids: link= http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44729 and CveId= CVE-2022-44729

Vulnerability Information: Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. Remediation Steps: Refer to Github security advisory GHSA-gq5f-xv48-2365 for updates and patch information.

Patch:

Following are links for downloading patches to fix the vulnerabilities:

GHSA-gq5f-xv48-2365:org.apache.xmlgraphics:batik-bridge

`

On searching my container , i can find following location as showing in screenshot leading to jmeter installation

Actual behavior

The version for

1. org.apache.xmlgraphics:batik-bridge
2. org.apache.xmlgraphics:batik-transcoder should be 1.17 or higher

Steps to reproduce the problem

1. Install the jmeter in Ubuntu Linux
2. search the keyword using "find / -path /proc -prune -o -iname "batik" -print"
3. Some of the results will point to version of batik-bridge 1.16 and batik-transcoder 1.16 , a vulnerable version

JMeter Version

5.6.3

Java Version

openjdk version "11.0.22" 2024-01-16

OS Version

Linux 62ef50357f09 5.15.0-1057-azure #65~20.04.1-Ubuntu SMP Mon Feb 12 17:26:40 UTC 2024 x86_64 GNU/Linux