Vulnerabilities > Apache > Batik

DATE CVE VULNERABILITY TITLE RISK
2022-10-25 CVE-2022-41704 Server-Side Request Forgery (SSRF) vulnerability in multiple products
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
network
low complexity
apache debian CWE-918
7.5
7.5
2022-10-25 CVE-2022-42890 Server-Side Request Forgery (SSRF) vulnerability in multiple products
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript.
network
low complexity
apache debian CWE-918
7.5
7.5
2022-09-22 CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in multiple products
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol.
network
low complexity
apache debian CWE-918
5.3
5.3
2022-09-22 CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in multiple products
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources.
network
low complexity
apache debian CWE-918
5.3
5.3
2022-09-22 CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in multiple products
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url.
network
low complexity
apache debian CWE-918
7.5
7.5
2021-02-24 CVE-2020-11987 Server-Side Request Forgery (SSRF) vulnerability in multiple products
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel.
network
low complexity
apache fedoraproject oracle debian CWE-918
8.2
8.2
2020-11-12 CVE-2019-17566 Server-Side Request Forgery (SSRF) vulnerability in multiple products
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes.
network
low complexity
apache oracle CWE-918
7.5
7.5
2018-05-24 CVE-2018-8013 Deserialization of Untrusted Data vulnerability in multiple products
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class.
network
low complexity
apache debian canonical oracle CWE-502
critical
 9.8
9.8
2017-04-18 CVE-2017-5662 XXE vulnerability in Apache Batik
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files.
network
low complexity
apache CWE-611
7.3
7.3