GHSA-gq5f-xv48-2365

Suggest an improvement
Source
https://github.com/advisories/GHSA-gq5f-xv48-2365
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-gq5f-xv48-2365/GHSA-gq5f-xv48-2365.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gq5f-xv48-2365
Aliases
Published
2023-08-22T21:30:26Z
Modified
2024-02-16T08:13:23.832518Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator
Summary
Apache XML Graphics Batik Server-Side Request Forgery vulnerability
Details

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

Database specific
{
    "nvd_published_at": "2023-08-22T19:16:29Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-23T17:53:44Z"
}
References

Affected packages

Maven / org.apache.xmlgraphics:batik-bridge

Package

Name
org.apache.xmlgraphics:batik-bridge
View open source insights on deps.dev
Purl
pkg:maven/org.apache.xmlgraphics/batik-bridge

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.17

Affected versions

1.*

1.6.1
1.7
1.8
1.9
1.9.1
1.10
1.11
1.12
1.13
1.14
1.15
1.16

Maven / org.apache.xmlgraphics:batik-svgrasterizer

Package

Name
org.apache.xmlgraphics:batik-svgrasterizer
View open source insights on deps.dev
Purl
pkg:maven/org.apache.xmlgraphics/batik-svgrasterizer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.17

Affected versions

1.*

1.9
1.9.1
1.10
1.11
1.12
1.13
1.14
1.15
1.16

Maven / org.apache.xmlgraphics:batik-transcoder

Package

Name
org.apache.xmlgraphics:batik-transcoder
View open source insights on deps.dev
Purl
pkg:maven/org.apache.xmlgraphics/batik-transcoder

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
1.17

Affected versions

1.*

1.6.1
1.7
1.8
1.9
1.9.1
1.10
1.11
1.12
1.13
1.14
1.15
1.16