jmeter icon indicating copy to clipboard operation
jmeter copied to clipboard
verified publisher icon apache

CVE-2022-44729 Apache XML Graphics Batik v1.16 Server-Side Request Forgery vulnerability

Open nkshschdv opened this issue 1 year ago • 2 comments

Microsoft Defender for cloud on Azure has detected a vulnerability CVE-2022-44729 in apache-jmeter-5.6.3 Please find report below `Critical and High severity vulnerabilities detected in your CNAB bundle by scanning referenced images with Microsoft Defender for Cloud. To know more about the vulnerability scanning process go to https://aka.ms/Container-Certification-Vulnerability-Found. Details about the Vulnerabilities detected are: Source image: xxxxxxxx.azurecr.io/xxxxxxx Image digestId: sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx VulnerabilityId: 994981 CVSS version 3 score: 7.1 CVE Ids: link= http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44729 and CveId= CVE-2022-44729

Vulnerability Information: Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. Remediation Steps: Refer to Github security advisory GHSA-gq5f-xv48-2365 for updates and patch information.

Patch:

Following are links for downloading patches to fix the vulnerabilities:

GHSA-gq5f-xv48-2365:org.apache.xmlgraphics:batik-bridge

`

On searching my container , i can find following location as showing in screenshot leading to jmeter installation image

Actual behavior

The version for

  1. org.apache.xmlgraphics:batik-bridge
  2. org.apache.xmlgraphics:batik-transcoder should be 1.17 or higher

Steps to reproduce the problem

  1. Install the jmeter in Ubuntu Linux
  2. search the keyword using "find / -path /proc -prune -o -iname "batik" -print"
  3. Some of the results will point to version of batik-bridge 1.16 and batik-transcoder 1.16 , a vulnerable version

JMeter Version

5.6.3

Java Version

openjdk version "11.0.22" 2024-01-16

OS Version

Linux 62ef50357f09 5.15.0-1057-azure #65~20.04.1-Ubuntu SMP Mon Feb 12 17:26:40 UTC 2024 x86_64 GNU/Linux

nkshschdv avatar Feb 27 '24 07:02 nkshschdv

Hi Team , is this something that is planned to be fixed and rolled out soon ?

akasturia avatar Sep 26 '24 18:09 akasturia

add some CVE results

org.apache.xmlgraphics/batik-transcoder,1.16,1.18,CVE-2022-44729 org.apache.xmlgraphics/batik-bridge,1.16,1.18,CVE-2022-44729 org.apache.xmlgraphics/batik-script,1.16,1.18,CVE-2022-44730 dnsjava/dnsjava,2.1.9,3.6.2,CVE-2024-25638 com.thoughtworks.xstream/xstream,1.4.20,1.4.21,CVE-2024-47072 io.netty/netty-common,4.1.104.Final,4.1.116.Final,CVE-2024-47535

liukunup avatar Dec 27 '24 03:12 liukunup

We got these vulnerabilities flagged by GitHub Dependabot alerts: 4 are High-severity and 2 are Moderate. Do you have any plans on fixing this?

nih-dk avatar Oct 10 '25 18:10 nih-dk

We got these vulnerabilities flagged by GitHub Dependabot alerts: 4 are High-priority and 2 are Moderate. Do you have any plans on fixing this?

see https://github.com/liukunup/JMeter/tree/main/security

liukunup avatar Oct 11 '25 01:10 liukunup

Fixed in https://github.com/apache/jmeter/commit/04bd01aa41b86483b56178224c83e3532e23799a

vlsi avatar Oct 29 '25 09:10 vlsi

@vlsi This is great! When can we expect a release with this issue resolved?

nih-dk avatar Nov 14 '25 21:11 nih-dk