CVE-2022-40146 - Local Privilege Escalation
Severity: Low2022-12-15
Abstract
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v24.1 and older | Low | Oxygen XML
Author 24.1 build 2022110312 Oxygen XML Author 25.0 build 2022101006 |
Oxygen XML Developer v24.1 and older | Low | Oxygen
XML Developer 24.1 build 2022110312 Oxygen XML Developer 25.0 build 2022101006 |
Oxygen XML Editor v24.1 and older | Low | Oxygen XML
Editor 24.1 build 2022110312 Oxygen XML Editor 25.0 build 2022101006 |
Oxygen Publishing Engine v24.1 and older | Low |
Oxygen Publishing Engine 24.1 build 2022110402 Oxygen Publishing Engine 25.0 build 2022101006 |
Detail
CVE-2022-40146
Severity: High
CVSS Score: 7.5
The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40146 vulnerability description. However, the Oxygen products have security mechanism that blocks connections to untrusted hosts. For that reason, we have rated the severity level for our products as low.