Vulnerabilities (CVE)

Filtered by vendor Apache Subscribe
Filtered by product Batik
Total 11 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2018-8013 4 Apache, Canonical, Debian and 1 more 21 Batik, Ubuntu Linux, Debian Linux and 18 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
CVE-2017-5662 1 Apache 1 Batik 2024-11-21 7.9 HIGH 7.3 HIGH
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
CVE-2015-0250 3 Apache, Canonical, Redhat 3 Batik, Ubuntu Linux, Jboss Enterprise Brms Platform 2024-11-21 6.4 MEDIUM N/A
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
CVE-2005-0508 1 Apache 1 Batik 2024-11-20 4.6 MEDIUM N/A
Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue."
CVE-2022-42890 2 Apache, Debian 2 Batik, Debian Linux 2024-02-28 N/A 7.5 HIGH
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
CVE-2022-38398 2 Apache, Debian 2 Batik, Debian Linux 2024-02-28 N/A 5.3 MEDIUM
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
CVE-2022-41704 2 Apache, Debian 2 Batik, Debian Linux 2024-02-28 N/A 7.5 HIGH
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
CVE-2022-38648 2 Apache, Debian 2 Batik, Debian Linux 2024-02-28 N/A 5.3 MEDIUM
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
CVE-2022-40146 2 Apache, Debian 2 Batik, Debian Linux 2024-02-28 N/A 7.5 HIGH
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
CVE-2020-11987 4 Apache, Debian, Fedoraproject and 1 more 22 Batik, Debian Linux, Fedora and 19 more 2024-02-28 6.4 MEDIUM 8.2 HIGH
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
CVE-2019-17566 2 Apache, Oracle 18 Batik, Api Gateway, Business Intelligence and 15 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.