CVE-2022-44730 — Apache Batik information disclosure vulnerability

Description

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

How to fix CVE-2022-44730

To remediate CVE-2022-44730, upgrade the affected package to a fixed version below.

—upgrade to 1.12-4+deb11u2 or later
—upgrade to 1.17 or later

Is CVE-2022-44730 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.12-4+deb11u2
>= 1.0, < 1.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.4	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-44730
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-44730
PATCHgithub.com/apache/xmlgraphics-batik
WEBgithub.com/apache/xmlgraphics-batik/commit/64658ccda90deaf6bf5f5b4d4a2ec365fe648bfa