Description: "In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization."
Also CVE-2019-17566, https://seclists.org/oss-sec/2020/q2/189: "The Apache Batik library is vulnerable to SSRF via "xlink:href" attributes that allow an attacker to cause the underlying server to make arbitrary GET requests. Users should upgrade to Batik 1.13 or later and pass -blockExternalResources on the command line"
CVE-2020-11987: Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=eb961392a72f66e8ae09629ffa13ed5a59187746 commit eb961392a72f66e8ae09629ffa13ed5a59187746 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-07 10:19:19 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-07 10:19:40 +0000 [ GLSA 202401-11 ] Apache Batik: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/724534 Bug: https://bugs.gentoo.org/872689 Bug: https://bugs.gentoo.org/918088 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-11.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)