CVE-2022-38398 (https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx): Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. https://issues.apache.org/jira/browse/BATIK-1331 CVE-2022-38648 (https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b): Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. https://issues.apache.org/jira/browse/BATIK-1333 CVE-2022-40146 (https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx): Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. https://issues.apache.org/jira/browse/BATIK-1335 All fixed in 1.15, please bump.
Change Log ========== The following log records some of the most important changes. Bug fixing is an ongoing task, so it is implied in all sub-releases. 1.14 -> 1.15 ------------ BATIK-1260: Java 11 module error BATIK-1321: Remove Xerces BATIK-1299: Batik-all jar has all classes so should not pull other jars also BATIK-1329: Remove xalan BATIK-1331: Jar url should be blocked by DefaultExternalResourceSecurity BATIK-1333: Block external resource before calling fop BATIK-1335: Jar url should be blocked by DefaultScriptSecurity
CVE-2022-41704: "Block loading jars by default to avoid running untrusted code" CVE-2022-42890: "Restrict what java classes can be run thru JavaScript" The subject lines call these "information disclosure" vulnerabilities, but preventing the execution of untrusted code sounds significantly worse than information disclosure. https://issues.apache.org/jira/browse/BATIK-1338 https://issues.apache.org/jira/browse/BATIK-1345 java@, any input on the severity?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96f1b92f7ecb57d5405be9b1549ce3e9463b86a1 commit 96f1b92f7ecb57d5405be9b1549ce3e9463b86a1 Author: Volkmar W. Pogatzki <gentoo@pogatzki.net> AuthorDate: 2023-04-01 11:00:47 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2023-04-03 07:08:28 +0000 dev-java/batik: avoid file collisions Bug: https://bugs.gentoo.org/872689 Closes: https://bugs.gentoo.org/903641 Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net> Closes: https://github.com/gentoo/gentoo/pull/30431 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> .../batik/{batik-1.16.ebuild => batik-1.16-r1.ebuild} | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=eb961392a72f66e8ae09629ffa13ed5a59187746 commit eb961392a72f66e8ae09629ffa13ed5a59187746 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-07 10:19:19 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-07 10:19:40 +0000 [ GLSA 202401-11 ] Apache Batik: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/724534 Bug: https://bugs.gentoo.org/872689 Bug: https://bugs.gentoo.org/918088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-11.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)