Two Server-Side Request Forgery (SSRF) vulnerabilities have been identified in Apache Batik, potentially enabling malicious actors to gain unauthorized access to sensitive data within the Apache Batik application.
These vulnerabilities specifically pertain to Apache XML Graphics Batik and have been assigned the CVE IDs CVE-2022-44729 and CVE-2022-44730.
Apache Batik is a Java-based application toolkit employed for rendering, generating, and manipulating Scalable Vector Graphics (SVG) files. It comprises various modules, including SVG Parser, SVG Generator, and SVG DOM.
CVE-2022-44729 & CVE-2022-44730 in Apache Batik: CVE-2022-44729: This SSRF vulnerability allows malicious actors to induce Apache Batik to load external resources by exploiting a malicious SVG file. This could lead to increased resource consumption or inadvertent information disclosure.
CVE-2022-44730: This vulnerability can be exploited by threat actors who employ a malicious SVG file to probe user profiles/data and subsequently transmit it as a URL parameter, ultimately resulting in information disclosure.
In response to these vulnerabilities, Apache has implemented patches that block external resource loading by default and establish a whitelist within the Rhino JS engine.
These vulnerabilities affect versions of Batik prior to 1.16. To mitigate the risk of exploitation, users of Apache Batik are strongly advised to upgrade to the latest version, 1.17.