High severityNVD Advisory· Published Sep 22, 2022· Updated Nov 3, 2025
Jar url should be blocked by DefaultScriptSecurity
CVE-2022-40146
Description
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.xmlgraphics:batikMaven | >= 1.0, < 1.15 | 1.15 |
Affected products
3- ghsa-coords2 versionspkg:maven/org.apache.xmlgraphics/batikpkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
>= 1.0, < 1.15+ 1 more
- (no CPE)range: >= 1.0, < 1.15
- (no CPE)range: < 1.17-2.7.1
- Apache Software Foundation/Apache XML Graphicsv5Range: Batik 1.14
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-h4qg-p7r2-cpg3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-40146ghsaADVISORY
- security.gentoo.org/glsa/202401-11ghsavendor-advisoryWEB
- issues.apache.org/jira/browse/BATIK-1335ghsaWEB
- lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsxghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00021.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00006.htmlghsaWEB
News mentions
0No linked articles in our index yet.