Monday, February 10, 2025
Homecyber securityApache XML Graphics Batik Flaw Exposes Sensitive Information

Apache XML Graphics Batik Flaw Exposes Sensitive Information

Published on

SIEM as a Service

Follow Us on Google News

Two Server-Side Request Forgery (SSRF) vulnerabilities were found in Apache Batik, which could allow a threat actor to access sensitive information in Apache Batik.

These vulnerabilities exist in the Apache XML Graphics Batik and are given CVE IDs CVE-2022-44729 and CVE-2022-44730.

It is a Java-based application toolkit that is used for rendering, generating, and manipulating of SVG (Scalable Vector Graphics) format.

This tool contains multiple modules like SVG Parser, SVG Generator, and SVG DOM.

CVE-2022-44729 & CVE-2022-44730 Apache Batik Flaw

CVE-2022-44729, One of the SSRF vulnerabilities exists as Apache can be triggered to load external resources by using a malicious SVG, which could result in more resource consumption or information disclosure.

CVE-2022-44730, this vulnerability can be exploited by a threat actor by using a malicious SVG to probe user profile/data and send it directly as an URL parameter resulting in information disclosure.

In response to these vulnerabilities, Apache has patched these vulnerabilities by blocking external resources by default and creating a whitelist in the Rhino JS engine.

Batik prior to version 1.16, is affected by these vulnerabilities. Revisions have been made to the source code of Batik to fix these vulnerabilities. 

Users of Apache Batik are recommended to upgrade to the latest version 1.17, to prevent this vulnerability from getting exploited. 

Keep yourself informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

NetSupport RAT Grant Attackers Full Access to Victims Systems

The eSentire Threat Response Unit (TRU) has reported a significant rise in incidents involving...

Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers

QR codes, once a symbol of convenience and security in digital interactions, have become...

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique...

SAML Bypass Authentication on GitHub Enterprise Servers to Login as Other User Account

A severe security vulnerability, tracked as CVE-2025-23369, has been identified in GitHub Enterprise Server...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

NetSupport RAT Grant Attackers Full Access to Victims Systems

The eSentire Threat Response Unit (TRU) has reported a significant rise in incidents involving...

Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers

QR codes, once a symbol of convenience and security in digital interactions, have become...

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique...