CVE-2022-44729 (High) detected in batik-bridge-1.9.jar, batik-transcoder-1.9.jar

[mend-bolt-for-github[bot]]

CVE-2022-44729 - High Severity Vulnerability

Vulnerable Libraries - batik-bridge-1.9.jar, batik-transcoder-1.9.jar

batik-bridge-1.9.jar

Library home page: http://www.apache.org/

Path to vulnerable library: /target/libs/provided/batik-bridge-1.9.jar

Dependency Hierarchy: - :x: **batik-bridge-1.9.jar** (Vulnerable Library)

batik-transcoder-1.9.jar

Library home page: http://www.apache.org/

Path to vulnerable library: /target/libs/provided/batik-transcoder-1.9.jar

Dependency Hierarchy: - :x: **batik-transcoder-1.9.jar** (Vulnerable Library)

Found in HEAD commit: 517ce877d9ca28b78d99878eae6078eb4dbd1e1b

Found in base branch: main

Vulnerability Details

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

Publish Date: 2023-08-22

URL: CVE-2022-44729

CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2023/08/22/2

Release Date: 2023-08-22

Fix Resolution: org.apache.xmlgraphics:batik-bridge:1.17;org.apache.xmlgraphics:batik-all:1.17;org.apache.xmlgraphics:batik-svgrasterizer:1.17;org.apache.xmlgraphics:batik-rasterizer:1.17;org.apache.xmlgraphics:batik-transcoder:1.17

---

Step up your Open Source Security Game with Mend here