CVE-2022-41704: Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input
Published Oct 25, 2022
·Updated
A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.
Affected Software
12 affected componentsFixes available
maven/org.apache.xmlgraphics:batik<1.16
1.16
redhat/org.apache.xmlgraphics batik<1.16
1.16
debian/batik<=1.10-2+deb10u1
1.10-2+deb10u31.12-4+deb11u21.12-4+deb11u11.16+dfsg-1+deb12u11.17+dfsg-1
ubuntu/batik<1.10-2~18.04.1
1.10-2~18.04.1
ubuntu/batik<1.12-1ubuntu0.1
1.12-1ubuntu0.1
ubuntu/batik<1.14-1ubuntu0.2
1.14-1ubuntu0.2
ubuntu/batik<1.14-2ubuntu0.1
1.14-2ubuntu0.1
ubuntu/batik<1.7.ubuntu-8ubuntu2.14.04.3+
1.7.ubuntu-8ubuntu2.14.04.3+
ubuntu/batik<1.8-3ubuntu1+
1.8-3ubuntu1+
Apache Batik>=1.0<1.16
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Event History
Oct 25, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
12:00 AM
RemedyDescriptionSeverityWeaknessAffected Software
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Data Sourced
via NVD·05:15 PM
DescriptionSeverityWeaknessAffected Software
Advisory Published
07:00 PM
Jan 12, 2024
Data Sourced
via Launchpad·12:11 AM
Description
Frequently Asked Questions
1
What is the vulnerability ID for this flaw in Batik?
The vulnerability ID for this flaw in Batik is CVE-2022-41704.
2
What is the severity level of CVE-2022-41704?
CVE-2022-41704 has a severity level of high.
3
What is the affected software for CVE-2022-41704?
The affected software for CVE-2022-41704 is Batik of Apache XML Graphics prior to version 1.16.
4
How can I fix CVE-2022-41704?
To fix CVE-2022-41704, it is recommended to update to version 1.16 of Apache XML Graphics.
5
Where can I find more information about CVE-2022-41704?
You can find more information about CVE-2022-41704 at the following references: [Link 1](https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf), [Link 2](http://www.openwall.com/lists/oss-security/2022/10/25/2), [Link 3](https://www.debian.org/security/2022/dsa-5264).