CVE-2022-44730 : Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation A

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

Published 2023-08-22 19:16:30

Updated 2025-02-13 17:15:47

Source Apache Software Foundation

View at NVD, CVE.org

Vulnerability category: Server-side request forgery (SSRF)

Products affected by CVE-2022-44730

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Apache » Xml Graphics Batik
Versions from including (>=) 1.0 and up to, including, (<=) 1.16
cpe:2.3:a:apache:xml_graphics_batik:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-44730

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 33 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-44730

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.4	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	1.8	2.5	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-44730

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Assigned by: security@apache.org (Secondary)

References for CVE-2022-44730

https://security.gentoo.org/glsa/202401-11

Apache Batik: Multiple Vulnerabilities (GLSA 202401-11) — Gentoo security

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2023/08/22/3

oss-security - [CVE-2022-44730] Apache Batik information disclosure vulnerability
Mailing List;Third Party Advisory
https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0

[CVE-2022-44730] Apache Batik information disclosure vulnerability-Apache Mail Archives
Mailing List;Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/08/22/5

oss-security - Re: [CVE-2022-44730] Apache Batik information disclosure vulnerability
Mailing List;Third Party Advisory
https://xmlgraphics.apache.org/security.html

The Apache™ XML Graphics Project - Community
Vendor Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html

[SECURITY] [DLA 3619-1] batik security update
Mailing List

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-44730

Products affected by CVE-2022-44730

Exploit prediction scoring system (EPSS) score for CVE-2022-44730

CVSS scores for CVE-2022-44730

CWE ids for CVE-2022-44730

References for CVE-2022-44730