CVE-2022-42890 - Arbitrary Code Execution (ACE)
Severity: High2022-11-07
Abstract
A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.
The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v25.0 and older | High | Oxygen XML
Author 24.1 build 2022110312 Oxygen XML Author 25.0 build 2022110706 |
Oxygen XML Developer v25.0 and older | High | Oxygen
XML Developer 24.1 build 2022110312 Oxygen XML Developer 25.0 build 2022110706 |
Oxygen XML Editor v25.0 and older | High | Oxygen XML
Editor 24.1 build 2022110312 Oxygen XML Editor 25.0 build 2022110706 |
Oxygen PDF Chemistry v25.0 and older | None | Oxygen
PDF Chemistry 24.1 build 2022110402 Oxygen PDF Chemistry 25.0 build 2022110500 |
Oxygen Publishing Engine v25.0 and older | None |
Oxygen Publishing Engine 24.1 build 2022110402 Oxygen Publishing Engine 25.0 build 2022110500 |
Detail
CVE-2022-42890
Severity: High
CVSS Score: 7.5
The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-42890 vulnerability description.
Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.
Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.