SB2024030775 - SUSE update for xmlgraphics-batik 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024030775

SB2024030775 - SUSE update for xmlgraphics-batik

Published: March 7, 2024

Security Bulletin ID SB2024030775
Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 50% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Code Injection (CVE-ID: CVE-2022-41704)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure processing links to .jar files inside .svg images. A remote attacker can upload a malicious .svg image that contains links to .jar files and execute arbitrary Java code on the system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Code injection example:

<script type="application/java-archive" xlink:href="file.jar"/>


2) Code Injection (CVE-ID: CVE-2022-42890)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to the application allows running Java classes via JavaScript. A remote user can use JavaScript to execute a Java class on the system and obtain its execution results.

Example:

Runtime.getRuntime().exec("xxx");


3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2022-44729)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2022-44730)

The disclosed vulnerability allows a remote user to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when parsing SVG images. A remote user can upload a malicious SVG image and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.


Remediation

Install update from vendor's website.

References