Updated batik packages fix security vulnerabilities
Publication date: 16 Mar 2024Modification date: 16 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2022-38398 , CVE-2022-38648 , CVE-2022-40146 , CVE-2022-41704 , CVE-2022-42890
Description
The updated packages fix security vulnerabilities: Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. (CVE-2022-38398) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. (CVE-2022-38648) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. (CVE-2022-40146) A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. (CVE-2022-41704) A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. (CVE-2022-42890)
References
- https://bugs.mageia.org/show_bug.cgi?id=30882
- https://www.openwall.com/lists/oss-security/2022/09/22/2
- https://www.openwall.com/lists/oss-security/2022/09/22/3
- https://www.openwall.com/lists/oss-security/2022/09/22/4
- https://www.openwall.com/lists/oss-security/2022/10/25/2
- https://www.openwall.com/lists/oss-security/2022/10/25/3
- https://www.debian.org/security/2022/dsa-5264
- https://ubuntu.com/security/notices/USN-6117-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38398
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38648
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40146
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41704
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42890
SRPMS
9/core
- batik-1.14-4.1.mga9