Apache XML Graphics security advisories

Security information for Apache XML Graphics

Reporting

Do you want disclose a potential security issue for Apache XML Graphics? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

XML External Entity (XXE) Processing

CVE-2024-28168 [CVE] [CVE json] [OSV json]

Last updated: 2024-10-09T12:04:02.004Z

Affected

  • Apache XML Graphics FOP at 2.9

Description

Improper Restriction of XML External Entity Reference ('XXE') vulnerability in Apache XML Graphics FOP.

This issue affects Apache XML Graphics FOP: 2.9.

Users are recommended to upgrade to version 2.10, which fixes the issue.

References

Credits

  • c1gar of Shanxi Normal University (finder)

Information disclosure vulnerability

CVE-2022-44730 [CVE] [CVE json]

Last updated: 2023-08-22T14:04:18.758Z

Affected

  • Apache XML Graphics Batik at 1.16

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.

This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

References

Information disclosure vulnerability

CVE-2022-44729 [CVE] [CVE json]

Last updated: 2023-08-22T14:12:19.621Z

Affected

  • Apache XML Graphics Batik at 1.16

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.

This issue affects Apache XML Graphics Batik: 1.16.

On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

References

Credits

  • nbxiglk (finder)

Apache Batik prior to 1.16 allows RCE via scripting

CVE-2022-42890 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-25T11:25:19.555Z

Affected

  • Apache XML Graphics from Batik through 1.15

Description

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

References

Credits

  • This issue was independently reported by Y4tacker and 4ra1n of Chaitin Tech

Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input

CVE-2022-41704 [CVE] [CVE json] [OSV json]

Last updated: 2022-10-25T11:02:56.969Z

Affected

  • Apache XML Graphics from Batik through 1.15

Description

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

References

Credits

  • This issue was independently reported by 4ra1n of Chaitin Tech and pwnull

Jar url should be blocked by DefaultScriptSecurity

CVE-2022-40146 [CVE] [CVE json] [OSV json]

Last updated: 2022-11-23T18:09:53.965Z

Affected

  • Apache XML Graphics at Batik 1.14

Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. Only affects the batik-bridge component.

References

PDFTranscoder does not block external resources

CVE-2022-38648 [CVE] [CVE json] [OSV json]

Last updated: 2022-09-22T14:37:30.540Z

Affected

  • Apache XML Graphics at Batik 1.14

Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.

References

Server-Side Request Forgery Information Disclosure Vulnerability

CVE-2022-38398 [CVE] [CVE json] [OSV json]

Last updated: 2022-09-22T14:36:45.719Z

Affected

  • Apache XML Graphics at Batik 1.14

Description

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

References