[Bugs] [Bug 13216] New: batik 1.11 cve-s found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13216

          Platform: 2021.1
            Bug ID: 13216
           Summary: batik 1.11 cve-s found
    Classification: ROSA-based products
           Product: Certified ROSA distros
           Version: Chrome
          Hardware: All
                OS: Linux
            Status: CONFIRMED
          Severity: major
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
  Target Milestone: ---
             Group: ROSA-plus-NTCIT

CVE-2019-17566
        Apache Batik is vulnerable to server-side request forgery, caused by
improper input validation by the "xlink:href" attributes. By using a
specially-crafted argument, an attacker could exploit this vulnerability to
cause the underlying server to make arbitrary GET requests.
        https://nvd.nist.gov/vuln/detail/CVE-2019-17566
        HIGH

CVE-2022-41704
        A vulnerability in Batik of Apache XML Graphics allows an attacker to
run untrusted Java code from an SVG. This issue affects Apache XML Graphics
prior to 1.16. It is recommended to update to version 1.16.
        https://nvd.nist.gov/vuln/detail/CVE-2022-41704
        HIGH

CVE-2022-42890
        A vulnerability in Batik of Apache XML Graphics allows an attacker to
run Java code from untrusted SVG via JavaScript. This issue affects Apache XML
Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
        https://nvd.nist.gov/vuln/detail/CVE-2022-42890
        HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230416/3bf8be00/attachment.html>