Apache XML Graphics security advisories
Security information for Apache XML Graphics
Reporting
Do you want disclose a potential security issue for Apache XML Graphics? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
XML External Entity (XXE) Processing
CVE-2024-28168 [CVE] [CVE json] [OSV json]
Last updated: 2024-10-09T12:04:02.004Z
Affected
- Apache XML Graphics FOP at 2.9
Description
Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.
This issue affects Apache XML Graphics FOP: 2.9.
Users are recommended to upgrade to version 2.10, which fixes the issue.
References
Credits
- c1gar of Shanxi Normal University (finder)
Information disclosure vulnerability
CVE-2022-44730 [CVE] [CVE json]
Last updated: 2023-08-22T14:04:18.758Z
Affected
- Apache XML Graphics Batik at 1.16
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.
This issue affects Apache XML Graphics Batik: 1.16.
A malicious SVG can probe user profile / data and send it directly as parameter to a URL.
References
- https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0
- https://xmlgraphics.apache.org/security.html
Information disclosure vulnerability
CVE-2022-44729 [CVE] [CVE json]
Last updated: 2023-08-22T14:12:19.621Z
Affected
- Apache XML Graphics Batik at 1.16
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.
This issue affects Apache XML Graphics Batik: 1.16.
On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.
References
- https://xmlgraphics.apache.org/security.html
- https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2
Credits
- nbxiglk (finder)
Apache Batik prior to 1.16 allows RCE via scripting
CVE-2022-42890 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-25T11:25:19.555Z
Affected
- Apache XML Graphics from Batik through 1.15
Description
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
References
Credits
- This issue was independently reported by Y4tacker and 4ra1n of Chaitin Tech
Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input
CVE-2022-41704 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-25T11:02:56.969Z
Affected
- Apache XML Graphics from Batik through 1.15
Description
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
References
Credits
- This issue was independently reported by 4ra1n of Chaitin Tech and pwnull
Jar url should be blocked by DefaultScriptSecurity
CVE-2022-40146 [CVE] [CVE json] [OSV json]
Last updated: 2022-11-23T18:09:53.965Z
Affected
- Apache XML Graphics at Batik 1.14
Description
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. Only affects the batik-bridge component.
References
PDFTranscoder does not block external resources
CVE-2022-38648 [CVE] [CVE json] [OSV json]
Last updated: 2022-09-22T14:37:30.540Z
Affected
- Apache XML Graphics at Batik 1.14
Description
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
References
Server-Side Request Forgery Information Disclosure Vulnerability
CVE-2022-38398 [CVE] [CVE json] [OSV json]
Last updated: 2022-09-22T14:36:45.719Z
Affected
- Apache XML Graphics at Batik 1.14
Description
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.