Advisories » MGASA-2024-0068

Updated batik packages fix security vulnerabilities

Publication date: 16 Mar 2024
Modification date: 16 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2022-38398 , CVE-2022-38648 , CVE-2022-40146 , CVE-2022-41704 , CVE-2022-42890

Description

The updated packages fix security vulnerabilities:
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML
Graphics allows an attacker to load a url thru the jar protocol.
(CVE-2022-38398)
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML
Graphics allows an attacker to fetch external resources.
(CVE-2022-38648)
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML
Graphics allows an attacker to access files using a Jar url.
(CVE-2022-40146)
A vulnerability in Batik of Apache XML Graphics allows an attacker to
run untrusted Java code from an SVG. (CVE-2022-41704)
A vulnerability in Batik of Apache XML Graphics allows an attacker to
run Java code from untrusted SVG via JavaScript. (CVE-2022-42890)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=30882
• https://www.openwall.com/lists/oss-security/2022/09/22/2
• https://www.openwall.com/lists/oss-security/2022/09/22/3
• https://www.openwall.com/lists/oss-security/2022/09/22/4
• https://www.openwall.com/lists/oss-security/2022/10/25/2
• https://www.openwall.com/lists/oss-security/2022/10/25/3
• https://www.debian.org/security/2022/dsa-5264
• https://ubuntu.com/security/notices/USN-6117-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38398
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38648
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40146
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41704
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42890

SRPMS

9/core

• batik-1.14-4.1.mga9