The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3619 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3619-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Bastien Roucaris     October 14, 2023                              https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : batik     Version        : 1.10-2+deb10u3     CVE ID         : CVE-2020-11987 CVE-2022-38398 CVE-2022-38648 CVE-2022-40146                      CVE-2022-44729 CVE-2022-44730     Debian Bug     : 984829 1020589

    Batik is a toolkit for applications or applets that want to use images     in the Scalable Vector Graphics (SVG) format for various purposes,     such as viewing, generation or manipulation.

    CVE-2020-11987

        A server-side request forgery was found,         caused by improper input validation by the NodePickerPanel.
        By using a specially-crafted argument, an attacker could exploit         this vulnerability to cause the underlying server to make         arbitrary GET requests.

    CVE-2022-38398

        A Server-Side Request Forgery (SSRF) vulnerability         was found that allows an attacker to load a url thru the jar         protocol.

    CVE-2022-38648

        A Server-Side Request Forgery (SSRF) vulnerability         was found that allows an attacker to fetch external resources.

    CVE-2022-40146

        A Server-Side Request Forgery (SSRF) vulnerability         was found that allows an attacker to access files using a Jar url.

    CVE-2022-44729

        A Server-Side Request Forgery (SSRF) vulnerability         was found. A malicious SVG could trigger loading external resources         by default, causing resource consumption or in some         cases even information disclosure.

    CVE-2022-44730

        A Server-Side Request Forgery (SSRF) vulnerability         was found. A malicious SVG can probe user profile / data and send         it directly as parameter to a URL.

    For Debian 10 buster, these problems have been fixed in version     1.10-2+deb10u3.

    We recommend that you upgrade your batik packages.

    For the detailed security status of batik please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/batik

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian dla-3619 : libbatik-java - security update

high Nessus Plugin ID 183091

Version 1.2

Version 1.1

Version 1.0

Version 1.2 Jan 22, 2025, 3:03 PM CVSS metrics ("Cvssv4 score" set to 0.0) CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:U/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:U/RL:O/RC:C") CVSSv2 severity (based on None, severity decreased from "High" to "Low") Plugin metadata Plugin Feed: 202501221503
Version 1.1 Oct 15, 2023, 10:12 PM CEA reference Plugin Feed: 202310152212
Version 1.0 Oct 15, 2023, 6:04 AM New Plugin Feed: 202310150604