Skip to content

Update batik and xmlgraphics-commons #878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
lyca wants to merge 1 commit into
base: open-dev-v1
Choose a base branch
from
Open

Update batik and xmlgraphics-commons #878

lyca wants to merge 1 commit into from

Conversation

@lyca
Copy link

@lyca lyca commented Nov 3, 2022

Fixes

  • CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
  • CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
  • CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
  • CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
  • CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

@lyca
Update batik and xmlgraphics-commons
4164f11 
Fixes
- CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
- CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
- CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
- CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
- CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
@MoxxiManagarm MoxxiManagarm mentioned this pull request Nov 10, 2022
Closed
@jjcard
Copy link

jjcard commented Jan 26, 2023

This seems like a easy PR to get rid of CVEs. Giving my vote to get this merged

@MoxxiManagarm MoxxiManagarm mentioned this pull request Sep 19, 2023
Open
@wromanek
Copy link

wromanek commented Sep 25, 2023

@danfickle Is there any chance to get it merged?

@alexeytereshchenko
Copy link

alexeytereshchenko commented Jan 14, 2025

is it has any updates ? It should be updated to 1.17

https://osv.dev/vulnerability/GHSA-gq5f-xv48-2365

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lyca @jjcard @wromanek @alexeytereshchenko