Two Server-Side Request Forgery (SSRF) vulnerabilities were found in Apache Batik, which could allow a threat actor to access sensitive information in Apache Batik.
These vulnerabilities exist in the Apache XML Graphics Batik and are given CVE IDs CVE-2022-44729 and CVE-2022-44730.
It is a Java-based application toolkit that is used for rendering, generating, and manipulating of SVG (Scalable Vector Graphics) format.
This tool contains multiple modules like SVG Parser, SVG Generator, and SVG DOM.
CVE-2022-44729, One of the SSRF vulnerabilities exists as Apache can be triggered to load external resources by using a malicious SVG, which could result in more resource consumption or information disclosure.
CVE-2022-44730, this vulnerability can be exploited by a threat actor by using a malicious SVG to probe user profile/data and send it directly as an URL parameter resulting in information disclosure.
In response to these vulnerabilities, Apache has patched these vulnerabilities by blocking external resources by default and creating a whitelist in the Rhino JS engine.
Batik prior to version 1.16, is affected by these vulnerabilities. Revisions have been made to the source code of Batik to fix these vulnerabilities.
Users of Apache Batik are recommended to upgrade to the latest version 1.17, to prevent this vulnerability from getting exploited.
Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
Gcore, the global edge AI, cloud, network, and security solutions provider, has launched Super Transit,…
Microsoft has urgently patched a high-risk security vulnerability (CVE-2025-29810) in Windows Active Directory Domain Services…
Adobe has announced critical security updates for several of its popular software products, addressing vulnerabilities…
In a disturbing escalation of cyber threats, a new malware campaign dubbed 'HollowQuill' has been…
GreyNoise has noted a sharp escalation in hacking attempts targeting TVT NVMS9000 Digital Video Recorders…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert highlighting a critical vulnerability…