Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -3 articles for you...
91
security advisorygentoocode executionGentoo: GLSA-202401-12 Critical: Apache Tomcat Security Vulnerabilities
Multiple vulnerabilities have been found in Apache Batik, the worst of which could result in arbitrary code execution.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202401-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Apache Batik: Multiple Vulnerabilities Date: January 07, 2024 Bugs: #724534, #872689, #918088 ID: 202401-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Apache Batik, the worst of which could result in arbitrary code execution. Background ========== Apache Batik is a Java-based toolkit for applications or applets that want to use images in the Scalable Vector Graphics (SVG) format for various purposes, such as display, generation or manipulation. Affected packages ================= Package Vulnerable Unaffected -------------- ------------ ------------ dev-java/batik < 1.17 > = 1.17 Description =========== Multiple vulnerabilities have been discovered in Apache Batik. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache Batik users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =dev-java/batik-1.17" References ========== [ 1 ] CVE-2018-8013 https://nvd.nist.gov/vuln/detail/CVE-2018-8013 [ 2 ] CVE-2019-17566 https://nvd.nist.gov/vuln/detail/CVE-2019-17566 [ 3 ] CVE-2020-11987 https://nvd.nist.gov/vuln/detail/CVE-2020-11987 [ 4 ] CVE-2022-38398 https://nvd.nist.gov/vuln/detail/CVE-2022-38398 [ 5 ] CVE-2022-38648 https://nvd.nist.gov/vuln/detail/CVE-2022-38648 [ 6 ] CVE-2022-40146 https://nvd.nist.gov/vuln/detail/CVE-2022-40146 [ 7 ] CVE-2022-41704 https://nvd.nist.gov/vuln/detail/CVE-2022-41704 [ 8 ] CVE-2022-42890 https://nvd.nist.gov/vuln/detail/CVE-2022-42890 [ 9 ] CVE-2022-44729 https://nvd.nist.gov/vuln/detail/CVE-2022-44729 [ 10 ] CVE-2022-44730 https://nvd.nist.gov/vuln/detail/CVE-2022-44730 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202401-11 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jan 07, 2024
Gentoo
172
security advisorycriticalremote accessUbuntu 22.10 USN-6117-1 Critical: Apache Batik Security Threats
Several security issues were fixed in Apache Batik.. =========================================================================Ubuntu Security Notice USN-6117-1 May 30, 2023 batik vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS (Available with Ubuntu Pro) - Ubuntu 14.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in Apache Batik. Software Description: - batik: SVG Library Details: It was discovered that Apache Batik incorrectly handled certain inputs. An attacker could possibly use this to perform a cross site request forgery attack. (CVE-2019-17566, CVE-2020-11987, CVE-2022-38398, CVE-2022-38648) It was discovered that Apache Batik incorrectly handled Jar URLs in some situations. A remote attacker could use this issue to access files on the server. (CVE-2022-40146) It was discovered that Apache Batik allowed running untrusted Java code from an SVG. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2022-41704, CVE-2022-42890) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.10: libbatik-java 1.14-2ubuntu0.1 Ubuntu 22.04 LTS: libbatik-java 1.14-1ubuntu0.2 Ubuntu 20.04 LTS: libbatik-java 1.12-1ubuntu0.1 Ubuntu 18.04 LTS: libbatik-java 1.10-2~18.04.1 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libbatik-java 1.8-3ubuntu1+esm1 Ubuntu 14.04 LTS (Available with Ubuntu Pro): libbatik-java 1.7.ubuntu-8ubuntu2.14.04.3+esm1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6117-1 CVE-2019-17566, CVE-2020-11987, CVE-2022-38398, CVE-2022-38648, CVE-2022-40146, CVE-2022-41704, CVE-2022-42890 Package Information: https://launchpad.net/ubuntu/+source/batik/1.14-2ubuntu0.1 https://launchpad.net/ubuntu/+source/batik/1.14-1ubuntu0.2 https://launchpad.net/ubuntu/+source/batik/1.12-1ubuntu0.1 https://launchpad.net/ubuntu/+source/batik/1.10-2~18.04.1 . Recent vulnerabilities addressed in Apache Batik across various Ubuntu versions necessitate prompt installations of updates to prevent potential security breaches.. Apache Batik, Security Update, Ubuntu Advisory, Denial of Service. . Severity: Critical. LinuxSecurity.com Team
May 30, 2023
•Critical
Ubuntu
87
security advisoryremote code executiondebianDebian Bullseye: DSA-5264-1 Critical: Batik Remote Code Execution
It was discovered that Apache Batik, a SVG library for Java, allowed attackers to run arbitrary Java code by processing a malicious SVG file. For the stable distribution (bullseye), these problems have been fixed in . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5264-1
Oct 29, 2022
•Critical
Debian
197
security advisoryhigh severitycode executionDebian 10 DLA-3169-1 High: Batik Arbitrary Code Execution Advisory
It was discovered that Apache Batik, a SVG library for Java, allowed attackers to run arbitrary Java code by processing a malicious SVG file. For Debian 10 buster, these problems have been fixed in version . ------------------------------------------------------------------------- Debian LTS Advisory DLA-3169-1
Oct 29, 2022
Debian LTS
203
security advisorysystem integrityapache batikMageia 7: 2021-0168 Critical SSRF Attack Fix for Apache Batik
A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via "xlink:href" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity (CVE-2019-17566). . MGASA-2021-0168 - Updated batik packages fix security vulnerabilities Publication date: 02 Apr 2021 URL: https://advisories.mageia.org/MGASA-2021-0168.html Type: security Affected Mageia releases: 7 CVE: CVE-2019-17566, CVE-2020-11987 A flaw was found in the Apache Batik library, where it is vulnerable to a Server-Side Request Forgery attack (SSRF) via "xlink:href" attributes. This flaw allows an attacker to cause the underlying server to make arbitrary GET requests. The highest threat from this vulnerability is to system integrity (CVE-2019-17566). The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). References: - https://bugs.mageia.org/show_bug.cgi?id=26800 - https://www.openwall.com/lists/oss-security/2021/02/24/2 - https://xmlgraphics.apache.org/security.html - https://lists.fedoraproject.org/archives/list/
Apr 02, 2021
•Critical
Mageia
203
security advisorycriticalssrfMageia 8: MGASA-2021-0139 Critical SSRF in Apache Batik Library
The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). References: . MGASA-2021-0139 - Updated batik packages fix a security vulnerability Publication date: 17 Mar 2021 URL: https://advisories.mageia.org/MGASA-2021-0139.html Type: security Affected Mageia releases: 8 CVE: CVE-2020-11987 The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). References: - https://bugs.mageia.org/show_bug.cgi?id=28439 - https://www.openwall.com/lists/oss-security/2021/02/24/2 - https://xmlgraphics.apache.org/security.html - https://www.cve.org/CVERecord?id=CVE-2020-11987 SRPMS: - 8/core/batik-1.14-1.1.mga8 . Recent batik updates address an SSRF flaw in the Apache Batik library, enhancing the security for users of Mageia 8.. apache batik update, ssrf security patch, mageia security advisory. . Severity: Critical. LinuxSecurity.com Team
Mar 17, 2021
•Critical
Mageia
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!