Batik Security Vulnerabilities and Issues — Batik CVE List

ApacheBatik

10 matches found

CVE•added 2021/02/24 12:0 a.m.•291 views

CVE-2020-11987

CVE-2020-11987 – SSRF in Apache Batik 1.13 . The initial description confirms a server-side request forgery via improper input validation in NodePickerPanel, enabling an attacker to make arbitrary GET requests from the server. Connected documents corroborate concrete remediation actions across ve...

8.2CVSS7.8AI score0.01358EPSS

CVE•added 2020/11/12 12:0 a.m.•287 views

CVE-2019-17566

CVE-2019-17566 (Apache Batik) is a server-side request forgery caused by improper input validation in xlink:href attributes, potentially allowing an attacker to trigger arbitrary GET requests from the vulnerable server. Connected advisories reference Batik-related SSRF issues across IBM JRS, SUSE...

7.5CVSS8.2AI score0.00831EPSS

CVE•added 2022/10/25 12:0 a.m.•223 views

CVE-2022-42890

CVE-2022-42890 is a vulnerability in Apache Batik (XML Graphics Project) that allows an attacker to run arbitrary Java code from untrusted SVG via JavaScript. The issue affects Apache Batik prior to version 1.16; multiple advisories note upgrading to 1.16 or newer as the remediation (e.g., Debian...

7.5CVSS7.5AI score0.00541EPSS

CVE•added 2022/09/22 12:0 a.m.•205 views

CVE-2022-40146

CVE-2022-40146 is a Server-Side Request Forgery in Apache XML Graphics Batik (version 1.14) that allows an attacker to access files via a Jar URL. Multiple connected advisories confirm the vulnerability and urge upgrading Batik to patched versions; Debian and Gentoo advisories show Batik updates ...

7.5CVSS7.4AI score0.47784EPSS

CVE•added 2018/05/24 4:0 p.m.•186 views

CVE-2018-8013

Apache Batik 1.x before 1.10 is vulnerable to information disclosure via deserializing a subclass of AbstractDocument, where inputStream-derived class name is used to invoke a no-arg constructor. The fix is to validate the class type before newInstance during deserialization; remediation is to up...

9.8CVSS8.6AI score0.01231EPSS

CVE•added 2022/10/25 12:0 a.m.•183 views

CVE-2022-41704

CVE-2022-41704 concerns the Apache Batik library (Apache XML Graphics) and allows a remote attacker to run untrusted Java code from an SVG. The issue affects Batik versions prior to 1.16, with a recommended upgrade to 1.16. Connected documents corroborate the vulnerability details across multiple...

7.5CVSS7.5AI score0.00526EPSS

CVE•added 2022/09/22 12:0 a.m.•168 views

CVE-2022-38398

CVE-2022-38398 is a Server-Side Request Forgery (SSRF) in Apache Batik (SVG toolkit) affecting Batik 1.14, loadable via jar protocol. The vulnerability enables loading arbitrary URLs by crafting a request that bypasses normalization in Batik components. Public records show multiple vendors refere...

5.3CVSS6.2AI score0.00225EPSS

CVE•added 2022/09/22 12:0 a.m.•158 views

CVE-2022-38648

CVE-2022-38648 is a Server-Side Request Forgery (SSRF) in Apache Batik (Apache XML Graphics Batik). Public docs confirm the issue affects Batik 1.14 and describes SSRF that can fetch external resources via Batik’s processing. Connected sources show fixes/mitigations across ecosystems: Debian LTS ...

5.3CVSS6.3AI score0.00225EPSS

CVE•added 2017/04/18 2:0 p.m.•129 views

CVE-2017-5662

CVE-2017-5662 affects Apache Batik before 1.9, exposing files on the server when processing adversarial SVGs. Root context could lead to full server compromise; XXE can trigger DoS amplification. Connected docs confirm Batik-related exploits/SSRF risks and list affected platforms (e.g., Batik =1....

7.9CVSS7.1AI score0.01431EPSS

CVE•added 2015/03/24 5:0 p.m.•114 views

CVE-2015-0250

CVE-2015-0250 describes an XXE vulnerability in Apache Batik 1.x prior to 1.8, affecting the SVG to PNG/JPG conversion paths. The root cause is XML external entity processing within Batik’s SVG handling, enabling a remote attacker to read arbitrary files or cause a denial of service via a crafted...

6.4CVSS8AI score0.02944EPSS