CVE-2022-41704 - Server-Side Request Forgery (SSRF)

Severity: High2022-11-07

Security Advisories

Abstract

A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.

The Oxygen products incorporate Batik as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Author v25.0 and olderHigh Oxygen XML Author 24.1 build 2022110312
Oxygen XML Author 25.0 build 2022110706
Oxygen XML Developer v25.0 and olderHigh Oxygen XML Developer 24.1 build 2022110312
Oxygen XML Developer 25.0 build 2022110706
Oxygen XML Editor v25.0 and olderHigh Oxygen XML Editor 24.1 build 2022110312
Oxygen XML Editor 25.0 build 2022110706
Oxygen PDF Chemistry v25.0 and olderNone Oxygen PDF Chemistry 24.1 build 2022110402
Oxygen PDF Chemistry 25.0 build 2022110500
Oxygen Publishing Engine v25.0 and olderNone Oxygen Publishing Engine 24.1 build 2022110402
Oxygen Publishing Engine 25.0 build 2022110500
Oxygen XML Web Author v25.0.0.0 and olderNone Oxygen XML Web Author 24.1.0.2 build 2022110410
Oxygen XML Web Author 25.0.0.1 build 2022111708

Mitigation

None

Detail

CVE-2022-41704

Severity: High

CVSS Score: 7.5

The Batik third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-41704 vulnerability description.

Starting with Oxygen XML Author v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v24.1 build 2022110312 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Author v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Developer v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Editor v25.0 build 2022110706 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Web Author v24.1.0.2 build 2022110410 Batik library was updated to v1.16 which fixes this vulnerability.

Starting with Oxygen XML Web Author v25.0.0.1 build 2022111708 batik-bridge library was removed, which fixes this vulnerability.

List of Security Advisories