Moderate severityNVD Advisory· Published Sep 22, 2022· Updated Nov 3, 2025
PDFTranscoder does not block external resources
CVE-2022-38648
Description
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.xmlgraphics:batikMaven | < 1.15 | 1.15 |
org.apache.xmlgraphics:batik-bridgeMaven | < 1.15 | 1.15 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.apache.xmlgraphics/batikpkg:maven/org.apache.xmlgraphics/batik-bridgepkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 1.15+ 2 more
- (no CPE)range: < 1.15
- (no CPE)range: < 1.15
- (no CPE)range: < 1.17-2.7.1
- Apache Software Foundation/Apache XML Graphicsv5Range: Batik 1.14
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-53jm-3hc9-fqqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-38648ghsaADVISORY
- security.gentoo.org/glsa/202401-11ghsavendor-advisoryWEB
- github.com/apache/xmlgraphics-batik/commit/996aa8897c208be11ce65cef00c9576a299b2637ghsaWEB
- issues.apache.org/jira/browse/BATIK-1333ghsaWEB
- lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7bghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00021.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00006.htmlghsaWEB
News mentions
0No linked articles in our index yet.