openhtmltopdf icon indicating copy to clipboard operation
openhtmltopdf copied to clipboard
verified publisher icon danfickle

Update batik and xmlgraphics-commons

Open lyca opened this issue 3 years ago • 3 comments

Fixes

  • CVE-2022-42890 A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
  • CVE-2022-41704 A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
  • CVE-2022-40146 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
  • CVE-2022-38648 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
  • CVE-2022-38398 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.

lyca avatar Nov 03 '22 19:11 lyca

This seems like a easy PR to get rid of CVEs. Giving my vote to get this merged

jjcard avatar Jan 26 '23 17:01 jjcard

@danfickle Is there any chance to get it merged?

wromanek avatar Sep 25 '23 09:09 wromanek