An update for batik is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1651 Final 1.0 1.0 2023-09-15 Initial 2023-09-15 2023-09-15 openEuler SA Tool V1.0 2023-09-15 batik security update An update for batik is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup, that lets you write your template directly as a CoffeeScript function. Security Fix(es): Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38398) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-38648) Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.(CVE-2022-40146) Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later. (CVE-2022-44729) Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. A malicious SVG can probe user profile / data and send it directly as parameter to a URL. (CVE-2022-44730) An update for batik is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High batik https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1651 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38398 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-38648 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-40146 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-44729 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-44730 https://nvd.nist.gov/vuln/detail/CVE-2022-38398 https://nvd.nist.gov/vuln/detail/CVE-2022-38648 https://nvd.nist.gov/vuln/detail/CVE-2022-40146 https://nvd.nist.gov/vuln/detail/CVE-2022-44729 https://nvd.nist.gov/vuln/detail/CVE-2022-44730 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 batik-help-1.17-1.oe1.noarch.rpm batik-1.17-1.oe1.noarch.rpm batik-help-1.17-1.oe1.noarch.rpm batik-1.17-1.oe1.noarch.rpm batik-1.17-1.oe2203.noarch.rpm batik-help-1.17-1.oe2203.noarch.rpm batik-1.17-1.oe2203sp1.noarch.rpm batik-help-1.17-1.oe2203sp1.noarch.rpm batik-help-1.17-1.oe2203sp2.noarch.rpm batik-1.17-1.oe2203sp2.noarch.rpm batik-1.17-1.oe1.src.rpm batik-1.17-1.oe1.src.rpm batik-1.17-1.oe2203.src.rpm batik-1.17-1.oe2203sp1.src.rpm batik-1.17-1.oe2203sp2.src.rpm Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14. 2023-09-15 CVE-2022-38398 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N batik security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1651 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14. 2023-09-15 CVE-2022-38648 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N batik security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1651 Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14. 2023-09-15 CVE-2022-40146 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N batik security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1651 Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later. 2023-09-15 CVE-2022-44729 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 High 7.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H batik security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1651 Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.A malicious SVG can probe user profile / data and send it directly as parameter to a URL. 2023-09-15 CVE-2022-44730 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 4.4 AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N batik security update 2023-09-15 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1651