{"api_version":"1","generated_at":"2026-04-22T22:50:01+00:00","cve":"CVE-2022-41704","urls":{"html":"https://cve.report/CVE-2022-41704","api":"https://cve.report/api/cve/CVE-2022-41704.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-41704","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-41704"},"summary":{"title":"CVE-2022-41704","description":"A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2022-10-25 17:15:00","updated_at":"2024-01-07 11:15:00"},"problem_types":["CWE-918"],"metrics":[],"references":[{"url":"http://www.openwall.com/lists/oss-security/2022/10/25/2","name":"[oss-security] 20221025 [CVE-2022-41704] Apache Batik information disclosure vulnerability","refsource":"MLIST","tags":[],"title":"oss-security - [CVE-2022-41704] Apache Batik information disclosure vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf","name":"https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html","name":"[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3169-1] batik security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202401-11","name":"GLSA-202401-11","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2022/dsa-5264","name":"DSA-5264","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5264-1 batik","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-41704","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-41704","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"This issue was independently reported by 4ra1n of Chaitin Tech and pwnull","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"41704","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"batik","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"41704","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"41704","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-41704","qid":"181174","title":"Debian Security Update for batik (DLA 3169-1)"},{"cve":"CVE-2022-41704","qid":"181176","title":"Debian Security Update for batik (DSA 5264-1)"},{"cve":"CVE-2022-41704","qid":"182699","title":"Debian Security Update for batik (CVE-2022-41704)"},{"cve":"CVE-2022-41704","qid":"199377","title":"Ubuntu Security Notification for Apache Batik Vulnerabilities (USN-6117-1)"},{"cve":"CVE-2022-41704","qid":"354806","title":"Amazon Linux Security Advisory for batik : ALAS2-2023-1966"},{"cve":"CVE-2022-41704","qid":"354807","title":"Amazon Linux Security Advisory for batik : ALAS-2023-1695"},{"cve":"CVE-2022-41704","qid":"355063","title":"Amazon Linux Security Advisory for batik : AL2012-2023-387"},{"cve":"CVE-2022-41704","qid":"710829","title":"Gentoo Linux Apache Batik Multiple Vulnerabilities (GLSA 202401-11)"},{"cve":"CVE-2022-41704","qid":"730979","title":"Atlassian Confluence Data Center and Server Multiple Vulnerabilities (CONFSERVER-93179,CONFSERVER-93178,CONFSERVER-93175)"},{"cve":"CVE-2022-41704","qid":"731296","title":"Atlassian Jira Software Data Center and Server Remote Code Execution (RCE) Vulnerability (JSWSERVER-25800)"},{"cve":"CVE-2022-41704","qid":"755916","title":"SUSE Enterprise Linux Security Update for xmlgraphics-batik (SUSE-SU-2024:0777-1)"},{"cve":"CVE-2022-41704","qid":"755935","title":"SUSE Enterprise Linux Security Update for xmlgraphics-batik (SUSE-SU-2024:0808-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2022-41704","STATE":"PUBLIC","TITLE":"Apache Batik prior to 1.16 allows RCE when loading untrusted SVG input"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache XML Graphics","version":{"version_data":[{"version_affected":"<=","version_name":"Batik","version_value":"1.15"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"This issue was independently reported by 4ra1n of Chaitin Tech and pwnull"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[[]],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"A jar file can be loaded from svg script element"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf","name":"https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf"},{"refsource":"MLIST","name":"[oss-security] 20221025 [CVE-2022-41704] Apache Batik information disclosure vulnerability","url":"http://www.openwall.com/lists/oss-security/2022/10/25/2"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html"},{"refsource":"DEBIAN","name":"DSA-5264","url":"https://www.debian.org/security/2022/dsa-5264"}]},"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-10-25 17:15:00","lastModifiedDate":"2024-01-07 11:15:00","problem_types":["CWE-918"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0","versionEndExcluding":"1.16","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}