CVE-2022-41704 — batik - security update

Description

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

How to fix CVE-2022-41704

To remediate CVE-2022-41704, upgrade the affected package to a fixed version below.

Debian/batik—upgrade to 1.12-4+deb11u1 or later
—upgrade to 1.10-2+deb10u2 or later
—upgrade to 1.12-4+deb11u1 or later
—upgrade to 1.16 or later

Is CVE-2022-41704 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.12-4+deb11u1
from 0, < 1.10-2+deb10u2
from 0, < 1.12-4+deb11u1
from 0, < 1.16

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41704
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-41704
WEBgithub.com/apache/xmlgraphics-batik/commit/905f368b50c2567cf2c4869a0ab596a7b1b5125c
WEBissues.apache.org/jira/browse/BATIK-1338