batik-script is vulnerable to information disclosure. The vulnerability is due to the visibleToScripts
function in RhinoClassShutter.java
not restricting access to batik internals from script which allows an attacker to execute arbitrary codes.
svn.apache.org/viewvc?view=revision&revision=1904549
www.openwall.com/lists/oss-security/2022/10/25/3
github.com/advisories/GHSA-rwqr-m72q-v6cm
github.com/apache/xmlgraphics-batik/commit/401aa8595f52d085d40ff5b6b4ac0dd372423082
github.com/apache/xmlgraphics-batik/commit/52f7a1ad6e3110ec295a35ffc94410eef085707a
issues.apache.org/jira/browse/BATIK-1345
lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly
lists.debian.org/debian-lts-announce/2022/10/msg00038.html
www.debian.org/security/2022/dsa-5264
www.openwall.com/lists/oss-security/2022/10/25/3
xmlgraphics.apache.org/batik/