Apache

Batik

10 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2022-41704

  • EPSS 0.23%
  • Veröffentlicht 25.10.2022 17:15:57
  • Zuletzt bearbeitet 21.11.2024 07:23:41

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

7.5

CVE-2022-42890

  • EPSS 0.23%
  • Veröffentlicht 25.10.2022 17:15:57
  • Zuletzt bearbeitet 21.11.2024 07:25:32

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

5.3

CVE-2022-38398

  • EPSS 0.1%
  • Veröffentlicht 22.09.2022 15:15:09
  • Zuletzt bearbeitet 21.11.2024 07:16:23

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

5.3

CVE-2022-38648

  • EPSS 0.09%
  • Veröffentlicht 22.09.2022 15:15:09
  • Zuletzt bearbeitet 21.11.2024 07:16:51

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.

7.5

CVE-2022-40146

  • EPSS 34.02%
  • Veröffentlicht 22.09.2022 15:15:09
  • Zuletzt bearbeitet 21.11.2024 07:20:58

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

8.2

CVE-2020-11987

  • EPSS 0.63%
  • Veröffentlicht 24.02.2021 18:15:11
  • Zuletzt bearbeitet 21.11.2024 04:59:03

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arb...

7.5

CVE-2019-17566

  • EPSS 0.82%
  • Veröffentlicht 12.11.2020 18:15:12
  • Zuletzt bearbeitet 21.11.2024 04:32:32

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make ...

9.8

CVE-2018-8013

  • EPSS 1.33%
  • Veröffentlicht 24.05.2018 16:29:00
  • Zuletzt bearbeitet 21.11.2024 04:13:05

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before ...

7.9

CVE-2017-5662

  • EPSS 0.18%
  • Veröffentlicht 18.04.2017 14:59:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable ap...

6.4

CVE-2015-0250

Exploit
  • EPSS 1.41%
  • Veröffentlicht 24.03.2015 17:59:00
  • Zuletzt bearbeitet 12.04.2025 10:46:40

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.