CVE-2022-38648

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html	Mailing List
https://security.gentoo.org/glsa/202401-11
https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html	Mailing List
https://security.gentoo.org/glsa/202401-11

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:batik:1.14:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

21 Nov 2024, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-22 15:15

Updated : 2024-11-21 07:16

NVD link : CVE-2022-38648

Mitre link : CVE-2022-38648

CVE.ORG link : CVE-2022-38648

JSON object : View

Products Affected

apache

batik

debian

debian_linux

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2022-38648", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-09-22T15:15:09.350", "references": [{"url": "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html", "tags": ["Mailing List"], "source": "security@apache.org"}, {"url": "https://security.gentoo.org/glsa/202401-11", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", "tags": ["Mailing List", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00021.html", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/202401-11", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14."}, {"lang": "es", "value": "Una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) en Batik de Apache XML Graphics permite a un atacante conseguir recursos externos. Este problema afecta a Batik de Apache XML Graphics versi\u00f3n 1.14"}], "lastModified": "2024-11-21T07:16:51.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:batik:1.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F4442FE-A805-4B59-BA99-9E492F793BAB"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}

5.3 /10