CVE-2022-40146 - Local Privilege Escalation

Severity: Low2022-12-15

Security Advisories

Abstract

Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Author v24.1 and olderLow Oxygen XML Author 24.1 build 2022110312
Oxygen XML Author 25.0 build 2022101006
Oxygen XML Developer v24.1 and olderLow Oxygen XML Developer 24.1 build 2022110312
Oxygen XML Developer 25.0 build 2022101006
Oxygen XML Editor v24.1 and olderLow Oxygen XML Editor 24.1 build 2022110312
Oxygen XML Editor 25.0 build 2022101006
Oxygen Publishing Engine v24.1 and olderLow Oxygen Publishing Engine 24.1 build 2022110402
Oxygen Publishing Engine 25.0 build 2022101006

Mitigation

None

Detail

CVE-2022-40146

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-40146 vulnerability description. However, the Oxygen products have security mechanism that blocks connections to untrusted hosts. For that reason, we have rated the severity level for our products as low.

List of Security Advisories