{"api_version":"1","generated_at":"2026-04-22T22:50:40+00:00","cve":"CVE-2022-42890","urls":{"html":"https://cve.report/CVE-2022-42890","api":"https://cve.report/api/cve/CVE-2022-42890.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-42890","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-42890"},"summary":{"title":"CVE-2022-42890","description":"A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2022-10-25 17:15:00","updated_at":"2024-01-07 11:15:00"},"problem_types":["CWE-918"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly","name":"https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html","name":"[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3169-1] batik security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202401-11","name":"GLSA-202401-11","refsource":"","tags":[],"title":"","mime":"","httpstatus":"200","archivestatus":"200"},{"url":"http://www.openwall.com/lists/oss-security/2022/10/25/3","name":"[oss-security] 20221025 [CVE-2022-42890] Apache Batik information disclosure vulnerability","refsource":"MLIST","tags":[],"title":"oss-security - [CVE-2022-42890] Apache Batik information disclosure vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2022/dsa-5264","name":"DSA-5264","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5264-1 batik","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-42890","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42890","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"This issue was independently reported by Y4tacker and 4ra1n of Chaitin Tech","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"42890","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"batik","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42890","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"42890","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-42890","qid":"150696","title":"Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2023)"},{"cve":"CVE-2022-42890","qid":"181174","title":"Debian Security Update for batik (DLA 3169-1)"},{"cve":"CVE-2022-42890","qid":"181176","title":"Debian Security Update for batik (DSA 5264-1)"},{"cve":"CVE-2022-42890","qid":"182666","title":"Debian Security Update for batik (CVE-2022-42890)"},{"cve":"CVE-2022-42890","qid":"199377","title":"Ubuntu Security Notification for Apache Batik Vulnerabilities (USN-6117-1)"},{"cve":"CVE-2022-42890","qid":"354806","title":"Amazon Linux Security Advisory for batik : ALAS2-2023-1966"},{"cve":"CVE-2022-42890","qid":"354807","title":"Amazon Linux Security Advisory for batik : ALAS-2023-1695"},{"cve":"CVE-2022-42890","qid":"355063","title":"Amazon Linux Security Advisory for batik : AL2012-2023-387"},{"cve":"CVE-2022-42890","qid":"710829","title":"Gentoo Linux Apache Batik Multiple Vulnerabilities (GLSA 202401-11)"},{"cve":"CVE-2022-42890","qid":"730979","title":"Atlassian Confluence Data Center and Server Multiple Vulnerabilities (CONFSERVER-93179,CONFSERVER-93178,CONFSERVER-93175)"},{"cve":"CVE-2022-42890","qid":"731294","title":"Atlassian Jira Software Data Center and Server Remote Code Execution (RCE) Vulnerability (JSWSERVER-25801)"},{"cve":"CVE-2022-42890","qid":"755916","title":"SUSE Enterprise Linux Security Update for xmlgraphics-batik (SUSE-SU-2024:0777-1)"},{"cve":"CVE-2022-42890","qid":"755935","title":"SUSE Enterprise Linux Security Update for xmlgraphics-batik (SUSE-SU-2024:0808-1)"},{"cve":"CVE-2022-42890","qid":"87546","title":"Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2023)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2022-42890","STATE":"PUBLIC","TITLE":"Apache Batik prior to 1.16 allows RCE via scripting"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache XML Graphics","version":{"version_data":[{"version_affected":"<=","version_name":"Batik","version_value":"1.15"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"credit":[{"lang":"eng","value":"This issue was independently reported by Y4tacker and 4ra1n of Chaitin Tech"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":[[]],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Remote code execution via batik scripting"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly","name":"https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly"},{"refsource":"MLIST","name":"[oss-security] 20221025 [CVE-2022-42890] Apache Batik information disclosure vulnerability","url":"http://www.openwall.com/lists/oss-security/2022/10/25/3"},{"refsource":"MLIST","name":"[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update","url":"https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html"},{"refsource":"DEBIAN","name":"DSA-5264","url":"https://www.debian.org/security/2022/dsa-5264"}]},"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-10-25 17:15:00","lastModifiedDate":"2024-01-07 11:15:00","problem_types":["CWE-918"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0","versionEndExcluding":"1.16","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}