CVE-2022-41704 - Server-Side Request Forgery (SSRF)
Severity: High2022-11-07
Abstract
A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.
The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v25.0 and older | High | Oxygen XML
Author 24.1 build 2022110312 Oxygen XML Author 25.0 build 2022110706 |
Oxygen XML Developer v25.0 and older | High | Oxygen
XML Developer 24.1 build 2022110312 Oxygen XML Developer 25.0 build 2022110706 |
Oxygen XML Editor v25.0 and older | High | Oxygen XML
Editor 24.1 build 2022110312 Oxygen XML Editor 25.0 build 2022110706 |
Oxygen PDF Chemistry v25.0 and older | None | Oxygen
PDF Chemistry 24.1 build 2022110402 Oxygen PDF Chemistry 25.0 build 2022110500 |
Oxygen Publishing Engine v25.0 and older | None |
Oxygen Publishing Engine 24.1 build 2022110402 Oxygen Publishing Engine 25.0 build 2022110500 |
Oxygen XML Web Author v25.0.0.0 and older | None |
Oxygen XML Web Author 24.1.0.2 build 2022110410 Oxygen XML Web Author 25.0.0.1 build 2022111708 |
Detail
CVE-2022-41704
Severity: High
CVSS Score: 7.5
The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41704 vulnerability description.
Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Web Author v24.1.0.2 build 2022110410 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 batik-bridge library was removed, which fixes this vulnerability.