A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

The version of Oracle Business Intelligence Enterprise Edition 12.2.1.4 installed on the remote host is affected by multiple vulnerabilities as referenced in the April 2024 CPU advisory, including the following:

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Web General (Apache Batik)). The supported version that is affected is 12.2.1.4.0.     Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can     result in unauthorized access to critical data or complete access to all Oracle Business Intelligence     Enterprise Edition accessible data. (CVE-2022-42890)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Server (jackson-databind)). Supported versions that are affected are 7.0.0.0.0 and     12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with logon to the     infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle     Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Business     Intelligence Enterprise Edition.(CVE-2023-35116)

  - Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics     (component: Analytics Web Answers). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0.     Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to     compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction     from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence     Enterprise Edition, attacks may significantly impact additional products (scope change). Successful     attacks of this vulnerability can result in unauthorized update, insert or delete access to some of     Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a     subset of Oracle Business Intelligence Enterprise Edition accessible data.(CVE-2024-21064)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0808-1 advisory.

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0777-1 advisory.

  - In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed     to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the     user context in which the exploitable application is running. If the user is root a full compromise of the     server - including confidential or sensitive files - would be possible. XXE can also be used to attack the     availability of the server via denial of service as the references within a xml document can trivially     trigger an amplification attack. (CVE-2017-5662)

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202401-11 (Apache Batik: Multiple Vulnerabilities)

  - In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a     string from the inputStream as the class name which then use it to call the no-arg constructor of the     class. Fix was to check the class type before calling newInstance in deserialization. (CVE-2018-8013)

  - Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the     xlink:href attributes. By using a specially-crafted argument, an attacker could exploit this     vulnerability to cause the underlying server to make arbitrary GET requests. (CVE-2019-17566)

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-93175 advisory.

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the July 2023 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Third Party Jars (Jettison)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2023-1436)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).     Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability     allows high privileged attacker with network access via multiple protocols to compromise Oracle WebLogic     Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or     modification access to critical data or all Oracle WebLogic Server accessible data and unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.     (CVE-2023-22040)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized     Thirdparty Jars (NekoHTML)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle     WebLogic Server. (CVE-2023-26119)

  Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6117-1 advisory.

    It was discovered that Apache Batik incorrectly handled certain inputs. An attacker could possibly use     this to perform a cross site request forgery attack. (CVE-2019-17566, CVE-2020-11987, CVE-2022-38398,     CVE-2022-38648)

    It was discovered that Apache Batik incorrectly handled Jar URLs in some situations. A remote attacker     could use this issue to access files on the server. (CVE-2022-40146)

    It was discovered that Apache Batik allowed running untrusted Java code from an SVG. An attacker could use     this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2022-41704,     CVE-2022-42890)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Business Process Management Suite installed on the remote host is affected by multiple vulnerabilities, as referenced in the April 2023 CPU advisory. Specifically:

  - Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses     Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations     that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
    (CVE-2022-45047)

  - In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in     primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature     is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1 (CVE-2022-42003)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version     1.16. (CVE-2022-42890)

  - jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety.
    jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when     a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled,     HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the     site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This     issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input     may have been persisted, old content should be cleaned again using the updated version. (CVE-2022-36033)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The version of batik installed on the remote host is prior to 1.7-10.10. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1695 advisory.

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of batik installed on the remote host is prior to 1.8-0.12.svn1230816. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-1966 advisory.

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3169 advisory.

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5264 advisory.

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG.
    This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
    (CVE-2022-41704)

  - A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via     JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to     version 1.16. (CVE-2022-42890)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193559	Oracle Business Intelligence Enterprise Edition (April 2024 CPU)	Nessus	Misc.	high
191745	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : xmlgraphics-batik (SUSE-SU-2024:0808-1)	Nessus	SuSE Local Security Checks	high
191700	SUSE SLES12 Security Update : xmlgraphics-batik (SUSE-SU-2024:0777-1)	Nessus	SuSE Local Security Checks	high
187730	GLSA-202401-11 : Apache Batik: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
186216	Atlassian Confluence 7.13 / 7.19.x < 7.19.16 (CONFSERVER-93175)	Nessus	CGI abuses	high
178618	Oracle WebLogic Server (July 2023 CPU)	Nessus	Misc.	critical
176489	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS / 22.04 LTS : Apache Batik vulnerabilities (USN-6117-1)	Nessus	Ubuntu Local Security Checks	high
174472	Oracle Business Process Management Suite (Apr 2023 CPU)	Nessus	Misc.	critical
172184	Amazon Linux AMI : batik (ALAS-2023-1695)	Nessus	Amazon Linux Local Security Checks	high
172170	Amazon Linux 2 : batik (ALAS-2023-1966)	Nessus	Amazon Linux Local Security Checks	high
166735	Debian DLA-3169-1 : batik - LTS security update	Nessus	Debian Local Security Checks	high
166705	Debian DSA-5264-1 : batik - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2022-42890

high

Tenable Plugins

high

high

high

critical

high

critical

high

critical

high

high

high

high