<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - batik 1.11 cve-s found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13216">13216</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>batik 1.11 cve-s found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>Certified ROSA distros

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Chrome

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>major

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Group</th>

          <td>ROSA-plus-NTCIT

          </td>

        </tr></table>

      <p>

        <div>

        <pre>CVE-2019-17566

        Apache Batik is vulnerable to server-side request forgery, caused by

improper input validation by the &quot;xlink:href&quot; attributes. By using a

specially-crafted argument, an attacker could exploit this vulnerability to

cause the underlying server to make arbitrary GET requests.

        <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-17566">https://nvd.nist.gov/vuln/detail/CVE-2019-17566</a>

        HIGH

CVE-2022-41704

        A vulnerability in Batik of Apache XML Graphics allows an attacker to

run untrusted Java code from an SVG. This issue affects Apache XML Graphics

prior to 1.16. It is recommended to update to version 1.16.

        <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-41704">https://nvd.nist.gov/vuln/detail/CVE-2022-41704</a>

        HIGH

CVE-2022-42890

        A vulnerability in Batik of Apache XML Graphics allows an attacker to

run Java code from untrusted SVG via JavaScript. This issue affects Apache XML

Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.

        <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42890">https://nvd.nist.gov/vuln/detail/CVE-2022-42890</a>

        HIGH</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>