Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4243 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4243-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     July 20, 2025                                 https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : batik     Version        : 1.12-4+deb11u3     CVE ID         : CVE-2020-11987 CVE-2022-38398 CVE-2022-38648 CVE-2022-40146     Debian Bug     : 984829 1020589

    Multiple cases of Server-Side Request Forgery have been fixed in the     Batik SVG toolkit for Java.

    For Debian 11 bullseye, these problems have been fixed in version     1.12-4+deb11u3.

    We recommend that you upgrade your batik packages.

    For the detailed security status of batik please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/batik

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0777-1 advisory.

  - In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed     to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the     user context in which the exploitable application is running. If the user is root a full compromise of the     server - including confidential or sensitive files - would be possible. XXE can also be used to attack the     availability of the server via denial of service as the references within a xml document can trivially     trigger an amplification attack. (CVE-2017-5662)

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202401-11 (Apache Batik: Multiple Vulnerabilities)

  - In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a     string from the inputStream as the class name which then use it to call the no-arg constructor of the     class. Fix was to check the class type before calling newInstance in deserialization. (CVE-2018-8013)

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-93178 advisory.

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3619 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3619-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Bastien Roucaris     October 14, 2023                              https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : batik     Version        : 1.10-2+deb10u3     CVE ID         : CVE-2020-11987 CVE-2022-38398 CVE-2022-38648 CVE-2022-40146                      CVE-2022-44729 CVE-2022-44730     Debian Bug     : 984829 1020589

    Batik is a toolkit for applications or applets that want to use images     in the Scalable Vector Graphics (SVG) format for various purposes,     such as viewing, generation or manipulation.

    CVE-2020-11987

        A server-side request forgery was found,         caused by improper input validation by the NodePickerPanel.
        By using a specially-crafted argument, an attacker could exploit         this vulnerability to cause the underlying server to make         arbitrary GET requests.

    CVE-2022-38398

        A Server-Side Request Forgery (SSRF) vulnerability         was found that allows an attacker to load a url thru the jar         protocol.

    CVE-2022-38648

        A Server-Side Request Forgery (SSRF) vulnerability         was found that allows an attacker to fetch external resources.

    CVE-2022-40146

        A Server-Side Request Forgery (SSRF) vulnerability         was found that allows an attacker to access files using a Jar url.

    CVE-2022-44729

        A Server-Side Request Forgery (SSRF) vulnerability         was found. A malicious SVG could trigger loading external resources         by default, causing resource consumption or in some         cases even information disclosure.

    CVE-2022-44730

        A Server-Side Request Forgery (SSRF) vulnerability         was found. A malicious SVG can probe user profile / data and send         it directly as parameter to a URL.

    For Debian 10 buster, these problems have been fixed in version     1.10-2+deb10u3.

    We recommend that you upgrade your batik packages.

    For the detailed security status of batik please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/batik

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6117-1 advisory.

    It was discovered that Apache Batik incorrectly handled certain inputs. An attacker could possibly use     this to perform a cross site request forgery attack. (CVE-2019-17566, CVE-2020-11987, CVE-2022-38398,     CVE-2022-38648)

    It was discovered that Apache Batik incorrectly handled Jar URLs in some situations. A remote attacker     could use this issue to access files on the server. (CVE-2022-40146)

    It was discovered that Apache Batik allowed running untrusted Java code from an SVG. An attacker could use     this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2022-41704,     CVE-2022-42890)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of batik installed on the remote host is prior to 1.7-10.10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1695 advisory.

    Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

    Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

    Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

    Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

    A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

    A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of batik installed on the remote host is prior to 1.8-0.12.svn1230816. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-1966 advisory.

    Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

    Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

    Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

    Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

    A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

    A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
242417	Debian dla-4243 : libbatik-java - security update	Nessus	Debian Local Security Checks	high
224926	Linux Distros Unpatched Vulnerability : CVE-2022-40146	Nessus	Misc.	high
191700	SUSE SLES12 Security Update : xmlgraphics-batik (SUSE-SU-2024:0777-1)	Nessus	SuSE Local Security Checks	high
187730	GLSA-202401-11 : Apache Batik: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
186174	Atlassian Confluence 7.13.x / 7.19.x < 7.19.16 (CONFSERVER-93178)	Nessus	CGI abuses	high
183091	Debian dla-3619 : libbatik-java - security update	Nessus	Debian Local Security Checks	high
176489	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : Apache Batik vulnerabilities (USN-6117-1)	Nessus	Ubuntu Local Security Checks	high
172184	Amazon Linux AMI : batik (ALAS-2023-1695)	Nessus	Amazon Linux Local Security Checks	high
172170	Amazon Linux 2 : batik (ALAS-2023-1966)	Nessus	Amazon Linux Local Security Checks	high

Detections

Analytics

CVE-2022-40146

high

Tenable Plugins

high

high

high

critical

high

high

high

high

high