The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3619 advisory.

  - Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the     NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to     cause the underlying server to make arbitrary GET requests. (CVE-2020-11987)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38398)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     fetch external resources. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-38648)

  - Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to     access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. (CVE-2022-40146)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger     loading external resources by default, causing resource consumption or in some cases even information     disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729)

  - Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics     Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data     and send it directly as parameter to a URL. (CVE-2022-44730)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian DLA-3619-1 : batik - LTS security update

high Nessus Plugin ID 183091

Version 1.1

Version 1.0

Version 1.1 Oct 15, 2023, 10:12 PM CEA reference Plugin Feed: 202310152212
Version 1.0 Oct 15, 2023, 6:04 AM New Plugin Feed: 202310150604