Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update batik and xmlgraphics-commons #878

Open
wants to merge 1 commit into
base: open-dev-v1
Choose a base branch
from
Open

Update batik and xmlgraphics-commons #878

wants to merge 1 commit into from

Conversation

lyca
Copy link

@lyca lyca commented Nov 3, 2022

Fixes

  • CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
  • CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
  • CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
  • CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
  • CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

@lyca
Update batik and xmlgraphics-commons
4164f11 
Fixes
- CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
- CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
- CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
- CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
- CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
@MoxxiManagarm MoxxiManagarm mentioned this pull request Nov 10, 2022
Closed
@jjcard
Copy link

jjcard commented Jan 26, 2023

This seems like a easy PR to get rid of CVEs. Giving my vote to get this merged

@MoxxiManagarm MoxxiManagarm mentioned this pull request Sep 19, 2023
Open
@wromanek
Copy link

@danfickle Is there any chance to get it merged?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@lyca @jjcard @wromanek