CVE-2022-44729 — Apache XML Graphics Batik Server-Side Request Forgery vulnerability

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

How to fix CVE-2022-44729

To remediate CVE-2022-44729, upgrade the affected package to a fixed version below.

—upgrade to 1.12-4+deb11u2 or later
—upgrade to 1.17 or later
—upgrade to 1.17 or later
—upgrade to 1.17 or later

Is CVE-2022-44729 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.12-4+deb11u2
>= 1.0, < 1.17
>= 1.0, < 1.17
>= 1.0, < 1.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-44729
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-44729
PATCHgithub.com/apache/xmlgraphics-batik
WEBgithub.com/apache/xmlgraphics-batik/commit/85b3457d9902f64d5d409a8da060d5ba47d0b69b