CVE-2022-41704

Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input

CVSS 7.5 HIGHEPSS 2.1%CWE-918

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.5EPSS 2.1%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

25 Oct 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Apache Software Foundation · Apache XML Graphics

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html https://security.gentoo.org/glsa/202401-11 https://www.debian.org/security/2022/dsa-5264 http://www.openwall.com/lists/oss-security/2022/10/25/2