U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:apache:batik:1.5:beta4b:*:*:*:*:*:*
  • CPE Name Search: true
There are 8 matching records.
Displaying matches 1 through 8.
Vuln ID Summary CVSS Severity
CVE-2022-42890

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

Published: October 25, 2022; 1:15:57 PM -0400 		V3.1: 7.5 HIGH
 V2.0:(not available)
CVE-2022-41704

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

Published: October 25, 2022; 1:15:57 PM -0400 		V3.1: 7.5 HIGH
 V2.0:(not available)
CVE-2020-11987

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Published: February 24, 2021; 1:15:11 PM -0500 		V3.1: 8.2 HIGH
 V2.0: 6.4 MEDIUM
CVE-2019-17566

Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Published: November 12, 2020; 1:15:12 PM -0500 		V3.1: 7.5 HIGH
 V2.0: 5.0 MEDIUM
CVE-2018-8013

In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.

Published: May 24, 2018; 12:29:00 PM -0400 		V3.0: 9.8 CRITICAL
 V2.0: 7.5 HIGH
CVE-2017-5662

In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

Published: April 18, 2017; 10:59:00 AM -0400 		V3.0: 7.3 HIGH
 V2.0: 7.9 HIGH
CVE-2015-0250

XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.

Published: March 24, 2015; 1:59:00 PM -0400 		V3.x:(not available)
 V2.0: 6.4 MEDIUM
CVE-2005-0508

Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue."

Published: March 14, 2005; 12:00:00 AM -0500 		V3.x:(not available)
 V2.0: 4.6 MEDIUM