Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yd3FyLW03MnEtdjZjbc4AAvib
Untrusted code execution in Apache XML Graphics Batik
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
Permalink: https://github.com/advisories/GHSA-rwqr-m72q-v6cmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yd3FyLW03MnEtdjZjbc4AAvib
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-rwqr-m72q-v6cm, CVE-2022-42890
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-42890
- https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly
- https://github.com/apache/xmlgraphics-batik/commit/401aa8595f52d085d40ff5b6b4ac0dd372423082
- https://github.com/apache/xmlgraphics-batik/commit/52f7a1ad6e3110ec295a35ffc94410eef085707a
- https://github.com/apache/xmlgraphics-batik/commit/eada57c716a2757579d53017f8b2aeadaad20edd
- https://issues.apache.org/jira/browse/BATIK-1345
- https://xmlgraphics.apache.org/security.html
- http://www.openwall.com/lists/oss-security/2022/10/25/3
- https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html
- https://www.debian.org/security/2022/dsa-5264
- https://github.com/advisories/GHSA-rwqr-m72q-v6cm
Affected Packages
maven:org.apache.xmlgraphics:batik
Versions: < 1.16Fixed in: 1.16