Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0777-1 advisory.

  - In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed     to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the     user context in which the exploitable application is running. If the user is root a full compromise of the     server - including confidential or sensitive files - would be possible. XXE can also be used to attack the     availability of the server via denial of service as the references within a xml document can trivially     trigger an amplification attack. (CVE-2017-5662)

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202401-11 (Apache Batik: Multiple Vulnerabilities)

  - In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a     string from the inputStream as the class name which then use it to call the no-arg constructor of the     class. Fix was to check the class type before calling newInstance in deserialization. (CVE-2018-8013)

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6117-1 advisory.

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the July 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Third Party     Tools, Samples (Spring Framework)). Supported versions that are affected are 12.2.1.3.0, 12.2.1.4.0 and     14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of     Oracle WebLogic Server. (CVE-2022-22965)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (OWASP Enterprise Security API)). Supported versions that are affected are 12.2.1.3.0,     12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result     in takeover of Oracle WebLogic Server. (CVE-2022-23457)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Apache Maven)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.
    Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data     as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server     accessible data. (CVE-2021-26291)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The All Supported Versions versions of GoldenGate installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.

  - Vulnerability in Oracle GoldenGate (component: Install (Dell BSAFE Crypto-J)). The supported version that is     affected is Prior to 19.1.0.0.0.210420. Easily exploitable vulnerability allows unauthenticated attacker with     network access via Oracle Net to compromise Oracle GoldenGate. Successful attacks require human interaction     from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized     access to critical data or complete access to all Oracle GoldenGate accessible data. (CVE-2019-3740)

  - Security-in-Depth issue in Oracle GoldenGate (component: Install (jQuery)). This vulnerability cannot be     exploited in the context of this product. (CVE-2020-11023)   
  - Security-in-Depth issue in Oracle GoldenGate (component: General (Apache Batik)). This vulnerability cannot     be exploited in the context of this product. (CVE-2020-11987)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions     that are affected are 12.1.0.2 and 19c. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via Oracle Net to compromise Advanced Networking Option. Successful attacks require     human interaction from a person other than the attacker and while the vulnerability is in Advanced     Networking Option, attacks may significantly impact additional products. Successful attacks of this     vulnerability can result in takeover of Advanced Networking Option. (CVE-2021-2351)

  - Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected     are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having Create Any     Procedure, Alter Any Table privilege with network access via Oracle Net to compromise Oracle Text.
    Successful   attacks of this vulnerability can result in takeover of Oracle Text. (CVE-2021-2328)

  - Vulnerability in the Oracle XML DB component of Oracle Database Server. Supported versions that are     affected   are 12.1.0.2 and 19c. Easily exploitable vulnerability allows high privileged attacker having     Create Any   Procedure, Create Public Synonym privilege with network access via Oracle Net to compromise     Oracle XML DB.   Successful attacks of this vulnerability can result in takeover of Oracle XML DB.
    (CVE-2021-2329)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The IBM WebSphere Application Server running on the remote host is version 8.0.0.0 through 8.0.0.15, 8.5.0.x prior to 8.5.5.18, or 9.0.x prior to 9.0.5.5. It is, therefore, affected by a server-side request forgery vulnerability due to improper input validation by the xlink:href attributes. An unauthenticated, remote attacker can exploit this to cause the underlying server to make arbitrary GET requests.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Updates to the latest upstream release of Eclipse. See the upstream release notes for details:
https://www.eclipse.org/eclipseide/2020-06/noteworthy/

Also contains security fixes for CVE-2019-17566 and CVE-2019-17638.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xmlgraphics-batik fixes the following issues :

  - CVE-2019-17566: Fixed a SSRF which might have allowed     the underlying server to make arbitrary GET requests     (bsc#1172961).

This update was imported from the SUSE:SLE-15-SP1:Update update project.

ID	Name	Product	Family	Severity
191700	SUSE SLES12 Security Update : xmlgraphics-batik (SUSE-SU-2024:0777-1)	Nessus	SuSE Local Security Checks	high
187730	GLSA-202401-11 : Apache Batik: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
176489	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : Apache Batik vulnerabilities (USN-6117-1)	Nessus	Ubuntu Local Security Checks	high
163298	Oracle WebLogic Server (Jul 2022 CPU)	Nessus	Misc.	critical
154342	Oracle GoldenGate (Oct 2021 CPU)	Nessus	Misc.	high
152026	Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)	Nessus	Databases	critical
142059	IBM WebSphere Application Server 8.0.0.x <= 8.0.0.15 / 8.5.x < 8.5.5.18 / 9.0.x < 9.0.5.5 SSRF (CVE-2019-17566)	Nessus	Web Servers	high
140107	Fedora 32 : 1:ecj / 1:eclipse / 1:eclipse-emf / 2:eclipse-cdt / batik / etc (2020-cf8ef2f333)	Nessus	Fedora Local Security Checks	critical
138698	openSUSE Security Update : xmlgraphics-batik (openSUSE-2020-851)	Nessus	SuSE Local Security Checks	high

Detections

Analytics

CVE-2019-17566

high

Tenable Plugins

high

critical

high

critical

high

critical

high

critical

high