oss-security - Re: [CVE-2022-44729] Apache Batik information disclosure vulnerability

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Tue, 22 Aug 2023 16:07:16 +0800
From: Nbxiglk <fibr3s@...il.com>
To: Simon Steiner <simonsteiner1984@...il.com>
Cc: general@...graphics.apache.org, batik-dev@...graphics.apache.org, 
	batik-users@...graphics.apache.org, 
	Apache Security Team <security@...che.org>, oss-security@...ts.openwall.com
Subject: Re: [CVE-2022-44729] Apache Batik information disclosure vulnerability

Hi，The vuln type inside the email seems to be incorrect, it should be SSRF。

Simon Steiner <simonsteiner1984@...il.com> 于2023年8月22日周二 16:00写道：

> CVE-2022-44729:
>         Apache Batik information disclosure vulnerability
>
> Severity:
>         Medium
>
> Vendor:
>         The Apache Software Foundation
>
> Versions Affected:
>         Batik 1.0 - 1.16
>
> Description:
>         Block loading external resource by default
>
> Mitigation:
>         Users should upgrade to Batik 1.17
>
> Credit:
>         This issue was independently reported by nbxiglk
>
> References:
>         http://xmlgraphics.apache.org/security.html
>         https://issues.apache.org/jira/browse/BATIK-1349
>
> The Apache XML Graphics team.
>
>
>
>
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.